Gentoo likewise has problematic patch security and package management. I have built more than a few of those systems. OpenBSD of course has less to patch, if installed without all the X. SLES has inherent kernel security and NX (immunix-style development by Crispen Cowen), and packages can easily be hardened. All production use of Linux requires a good understanding of both patch management and server hardening, especially in a firewall. My point is, that whatever you choose, especially in a production environment, a process must be in place to track security issues, and apply patches with a modicrum of dependence that they will, in fact, work, with insurance that the downtime will be ONE reboot (for a kernel patch/rebuild). You know that the day the exploit has been announced, the exploit scripts are in play? *Gentoo has horrendous security issues. Do you know that every port open to both local networking and external applications is secure?* http://www.gentoo.org/security/en/glsa/ [Example - I am pretty sure you are using wget (since it's part of the hand build process {you did build your gentoo distro by hand didn't you?}) - first thing on the list....possibly mitigated because you don't have shell users to gain root, but there are a great many others that are a factor in a firewall application (net/dhcpd). *How are you going to be alerted tomorrow when the reverse engineers partner with progress to dissassemble binaries/kernels/SSL entropy while building metasploit toys/tools to prove their intelligence is worth a book deal or consulting company?* On Wed, Oct 21, 2009 at 7:46 AM, Paul Mooring wrote: > I don't know as much about security as you do, but surely your not > suggesting that distros like suse or ubuntu or more secure than openbsd. I > thought the whole purpose behind openbsd was to make a secure os, as oppose > to suse for example which I quit using on firewall servers for the security > issues created from all the unwanted packages installed by default. Are you > saying I'm wrong in thinking that by default openBSD/pf has siginificantly > less security issues than say gentoo/iptables (which is what I'm currently > using in this set up). > > -----Original Message----- > *From*: Lisa Kachold > > > *Reply-to*: Main PLUG discussion list < > plug-discuss@lists.plug.phoenix.az.us> > *To*: Main PLUG discussion list > > > *Subject*: Re: Linux vs OpenBSD as a router > *Date*: Tue, 20 Oct 2009 19:09:39 -0700 > > > > On Mon, Oct 19, 2009 at 2:46 PM, Paul Mooring wrote: > > > I've been running linux routers using iproute2 and iptables for a while > now, and openBSD just had a new release which has me considering switching > my home setup to a BSD pf solution. Does anyone have any experience > comparing the two? I guess I'm also concerned about other software I use on > my linux router not being supported in openBSD (OpenVPN, OpenSwan, and > Quagga primarily). > > > Hi! I agree that pf is easier. My first copy of FreeBSD was won from > Defcon 6, answering a question correctly from the crowd, and I proceeded to > learn about the wonders that are BSD for a command line (and Xterm) systems > administrator. > > But seeing a good number of implementations of both linux and especially > OpenBSD in the field, I see shameful exploits that have never been patched. > I.E. They set it up, (fail to test their rules fully with a full tool suite > like BackTrack4 [but that is another subject]) and call it functionally > adequate; the world marches on, and reverse engineers as progress continues, > yet OpenBSD core kernel exploits (for instance) are never patched (like the > well known null kernel deference exploit). > > Here are the top $n reasons to avoid OpenBSD: > > 1) Use a distribution that provides automated source and binary patch > management or updates like SLES, Redhat, or Ubuntu for your firewall > source. > > http://www.openbsd.org/faq/faq15.html > > You are not going to have time to deal with issues brought forth from > updates and kernel rebuilds on your bastion firewall system. > > 2) Example OpenBSD PF null pointer deference & scapy: > > ------------------------------ > *PROBLEM:* OpenBSD PF Remote Denial Of Service Vulnerability Exploiting > this issue allows remote attackers to cause a kernel panic on affected > computers, denying further service to legitimate users. *PLATFORM:* OpenBSD 4.3, 4.4, and 4.5 are affected. > *ABSTRACT:* OpenBSDs PF firewall in OpenBSD 4.3 up to OpenBSD-current is > prone to a remote Denial of Service during a null pointer dereference in > relation with special crafted IP datagrams. If the firewall handles such a > packet the kernel panics. The vulnerability resides in 'sys/net/pf.c' in the > pf_test() function. > > > > Ref: http://www.doecirc.energy.gov/bulletins/t-110.shtml > > Current release is 4.6, but you can bet there are no proactive patches for > anything older than April 2009! Get scapy baby! Ref: > http://pentestit.com/2009/09/03/scapy-powerful-interactive-packet-manipulator/ > > 3) IPV6 wa hopelessly broken in OpenBSD up to 4.1 (2007) > > Remotely exploitable buffer overflow vulnerability, due to kernel memory > design flaw in IPv6. > > Hey? Good thing I mentioned it, right, or are you all checking the source > exploits on each distro tool you use? Are you all keeping up on all that > source code in legacy systems? Script kiddies could just be running the > python exploit example publicized here: > http://blog.lifeoverip.net/2007/03/14/only-two-remote-holes-in-the-default-install-in-more-than-10-years/ > > Ref: http://www.coresecurity.com/content/open-bsd-advisorie > > 4) Quagga bgpd denial of service vulnerability (not just for OpenBSD 4.4 or > earlier, but it is trivial to update source in other distros): > > http://www.openbsd.org/errata44.html > > Other distros: Ref: http://www.securityfocus.com/bid/17979 > > 5) OpenBSD 4.6 BIND dynamic zone update message crash (should you need to > use BIND on your firewall). > > http://www.openbsd.org/security.html#46 > > 6) Exploit mitigation techniques are very complex. Once you read through a > well explained example, you will agree, that one mitigation technique might > not be sufficient. > > http://www.openbsd.org/papers/ven05-deraadt/index.html > > Summary: Check your security patch and exploits by release for OpenBSD > here: > > http://www.openbsd.org/security.html > > Be sure to indicate to all your stakeholders that when you take down your > firewall to implement these fixes EVERYTHING will be either down or at risk? > Be sure to dd that original kernel to backup before attempting a patch, so > you can swiftly roll back? Same thing for all the juicy binary sources, > running unpatched...ignored and constantly under seige! > > > > > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change your mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > > > > > -- > Skype: (623)239-3392 > AT&T: (503)754-4452 > www.obnosis.com > http://www.obnosis.com/motivatebytruth/will_work_4_bandwidth.jpg > > > > > > > > > > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change your mail settings:http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > > > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change your mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > -- Skype: (623)239-3392 AT&T: (503)754-4452 www.obnosis.com http://www.obnosis.com/motivatebytruth/will_work_4_bandwidth.jpg