Re: Linux vs OpenBSD as a router

Top Page
Attachments:
Message as email
+ (text/plain)
+ (text/html)
+ (text/plain)
Delete this message
Reply to this message
Author: Lisa Kachold
Date:  
To: Main PLUG discussion list
Subject: Re: Linux vs OpenBSD as a router
On Mon, Oct 19, 2009 at 2:46 PM, Paul Mooring <> wrote:

> I've been running linux routers using iproute2 and iptables for a while
> now, and openBSD just had a new release which has me considering switching
> my home setup to a BSD pf solution. Does anyone have any experience
> comparing the two? I guess I'm also concerned about other software I use on
> my linux router not being supported in openBSD (OpenVPN, OpenSwan, and
> Quagga primarily).
>
> Hi! I agree that pf is easier. My first copy of FreeBSD was won from

Defcon 6, answering a question correctly from the crowd, and I proceeded to
learn about the wonders that are BSD for a command line (and Xterm) systems
administrator.

But seeing a good number of implementations of both linux and especially
OpenBSD in the field, I see shameful exploits that have never been patched.
I.E. They set it up, (fail to test their rules fully with a full tool suite
like BackTrack4 [but that is another subject]) and call it functionally
adequate; the world marches on, and reverse engineers as progress continues,
yet OpenBSD core kernel exploits (for instance) are never patched (like the
well known null kernel deference exploit).

Here are the top $n reasons to avoid OpenBSD:

1) Use a distribution that provides automated source and binary patch
management or updates like SLES, Redhat, or Ubuntu for your firewall
source.

http://www.openbsd.org/faq/faq15.html

You are not going to have time to deal with issues brought forth from
updates and kernel rebuilds on your bastion firewall system.

2) Example OpenBSD PF null pointer deference & scapy:

------------------------------
*PROBLEM:*OpenBSD PF Remote Denial Of Service Vulnerability Exploiting this
issue allows remote attackers to cause a kernel panic on affected computers,
denying further service to legitimate users.*PLATFORM:*OpenBSD 4.3, 4.4, and
4.5 are affected.*ABSTRACT:*OpenBSDs PF firewall in OpenBSD 4.3 up to
OpenBSD-current is prone to a remote Denial of Service during a null pointer
dereference in relation with special crafted IP datagrams. If the firewall
handles such a packet the kernel panics. The vulnerability resides in
'sys/net/pf.c' in the pf_test() function.

Ref: http://www.doecirc.energy.gov/bulletins/t-110.shtml

Current release is 4.6, but you can bet there are no proactive patches for
anything older than April 2009! Get scapy baby! Ref:
http://pentestit.com/2009/09/03/scapy-powerful-interactive-packet-manipulator/

3) IPV6 wa hopelessly broken in OpenBSD up to 4.1 (2007)

Remotely exploitable buffer overflow vulnerability, due to kernel memory
design flaw in IPv6.

Hey? Good thing I mentioned it, right, or are you all checking the source
exploits on each distro tool you use? Are you all keeping up on all that
source code in legacy systems? Script kiddies could just be running the
python exploit example publicized here:
http://blog.lifeoverip.net/2007/03/14/only-two-remote-holes-in-the-default-install-in-more-than-10-years/

Ref: http://www.coresecurity.com/content/open-bsd-advisorie

4) Quagga bgpd denial of service vulnerability (not just for OpenBSD 4.4 or
earlier, but it is trivial to update source in other distros):

http://www.openbsd.org/errata44.html

Other distros:
Ref: http://www.securityfocus.com/bid/17979

5) OpenBSD 4.6 BIND dynamic zone update message crash (should you need to
use BIND on your firewall).

http://www.openbsd.org/security.html#46

6) Exploit mitigation techniques are very complex. Once you read through a
well explained example, you will agree, that one mitigation technique might
not be sufficient.

http://www.openbsd.org/papers/ven05-deraadt/index.html

Summary:
Check your security patch and exploits by release for OpenBSD here:

http://www.openbsd.org/security.html

Be sure to indicate to all your stakeholders that when you take down your
firewall to implement these fixes EVERYTHING will be either down or at risk?
Be sure to dd that original kernel to backup before attempting a patch, so
you can swiftly roll back? Same thing for all the juicy binary sources,
running unpatched...ignored and constantly under seige!



---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>




--
Skype: (623)239-3392
AT&T: (503)754-4452
www.obnosis.com
http://www.obnosis.com/motivatebytruth/will_work_4_bandwidth.jpg
---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss