Re: Linux vs OpenBSD as a router

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MLisa Kachold at <-
M\Lisa Kachold at ->
Attachments:
Message as email
+ (text/plain)
+ (text/html)
+ (text/plain)
Delete this message
Reply to this message
Author: Paul Mooring
Date:  
To: Main PLUG discussion list
Subject: Re: Linux vs OpenBSD as a router
I definately see what your saying and agree that the most important
thing is to use a distro or OS that ou have policies in place to stay
current on patches and updates, but I'm not sure I see your point about
gentoo security. It looks to me like that link shows a patch in portage
where gentoo had fixed an issue with wget (before similiar updates where
out for suse, redhat, or ubuntu) which seems to me to be an indicator of
good security practices for a distro, and as for as securing open ports,
I would think you wouldn't open them up in the first place without
trusting the service on any particular port.

-----Original Message-----
From: Lisa Kachold <>
Reply-to: Main PLUG discussion list
<>
To: Main PLUG discussion list <>
Subject: Re: Linux vs OpenBSD as a router
Date: Wed, 21 Oct 2009 08:06:48 -0700

Gentoo likewise has problematic patch security and package management.
I have built more than a few of those systems.


OpenBSD of course has less to patch, if installed without all the X.


SLES has inherent kernel security and NX (immunix-style development by
Crispen Cowen), and packages can easily be hardened.


All production use of Linux requires a good understanding of both patch
management and server hardening, especially in a firewall.


My point is, that whatever you choose, especially in a production
environment, a process must be in place to track security issues, and
apply patches with a modicrum of dependence that they will, in fact,
work, with insurance that the downtime will be ONE reboot (for a kernel
patch/rebuild).


You know that the day the exploit has been announced, the exploit
scripts are in play?


Gentoo has horrendous security issues. Do you know that every port open
to both local networking and external applications is secure?


http://www.gentoo.org/security/en/glsa/ [Example - I am pretty sure you
are using wget (since it's part of the hand build process {you did build
your gentoo distro by hand didn't you?}) - first thing on the
list....possibly mitigated because you don't have shell users to gain
root, but there are a great many others that are a factor in a firewall
application (net/dhcpd).


How are you going to be alerted tomorrow when the reverse engineers
partner with progress to dissassemble binaries/kernels/SSL entropy while
building metasploit toys/tools to prove their intelligence is worth a
book deal or consulting company? 

On Wed, Oct 21, 2009 at 7:46 AM, Paul Mooring <>
wrote:
        I don't know as much about security as you do, but surely your
        not suggesting that distros like suse or ubuntu or more secure
        than openbsd.  I thought the whole purpose behind openbsd was to
        make a secure os, as oppose to suse for example which I quit
        using on firewall servers for the security issues created from
        all the unwanted packages installed by default.  Are you saying
        I'm wrong in thinking that by default openBSD/pf has
        siginificantly less security issues than say gentoo/iptables
        (which is what I'm currently using in this set up).




        -----Original Message-----
        From: Lisa Kachold <>
        Reply-to: Main PLUG discussion list
        <>
        To: Main PLUG discussion list
        <>
        Subject: Re: Linux vs OpenBSD as a router



        Date: Tue, 20 Oct 2009 19:09:39 -0700




        On Mon, Oct 19, 2009 at 2:46 PM, Paul Mooring
        <> wrote: 


                I've been running linux routers using iproute2 and
                iptables for a while now, and openBSD just had a new
                release which has me considering switching my home setup
                to a BSD pf solution.  Does anyone have any experience
                comparing the two?  I guess I'm also concerned about
                other software I use on my linux router not being
                supported in openBSD (OpenVPN, OpenSwan, and Quagga
                primarily).



        Hi!  I agree that pf is easier.  My first copy of FreeBSD was
        won from Defcon 6, answering a question correctly from the
        crowd, and I proceeded to learn about the wonders that are BSD
        for a command line (and Xterm) systems administrator. 


        But seeing a good number of implementations of both linux and
        especially OpenBSD in the field, I see shameful exploits that
        have never been patched.  I.E. They set it up, (fail to test
        their rules fully with a full tool suite like BackTrack4 [but
        that is another subject]) and call it functionally adequate; the
        world marches on, and reverse engineers as progress continues,
        yet OpenBSD core kernel exploits (for instance) are never
        patched (like the well known null kernel deference exploit). 


        Here are the top $n reasons to avoid OpenBSD:  


        1) Use a distribution that provides automated source and binary
        patch management or updates like SLES, Redhat, or Ubuntu for
        your firewall source.  


        http://www.openbsd.org/faq/faq15.html 


        You are not going to have time to deal with issues brought forth
        from updates and kernel rebuilds on your bastion firewall
        system. 


        2)  Example OpenBSD PF null pointer deference & scapy: 



        ________________________________
        PROBLEM:
        OpenBSD PF Remote Denial Of
        Service Vulnerability Exploiting
        this issue allows remote
        attackers to cause a kernel
        panic on affected computers,
        denying further service to
        legitimate users.
        PLATFORM:
        OpenBSD 4.3, 4.4, and 4.5 are
        affected.
        ABSTRACT:
        OpenBSDs PF firewall in OpenBSD
        4.3 up to OpenBSD-current is
        prone to a remote Denial of
        Service during a null pointer
        dereference in relation with
        special crafted IP datagrams. If
        the firewall handles such a
        packet the kernel panics. The
        vulnerability resides in
        'sys/net/pf.c' in the pf_test()
        function.





        Ref:  http://www.doecirc.energy.gov/bulletins/t-110.shtml 


        Current release is 4.6, but you can bet there are no proactive
        patches for anything older than April 2009!  Get scapy baby!
         Ref:
         http://pentestit.com/2009/09/03/scapy-powerful-interactive-packet-manipulator/ 


        3) IPV6 wa hopelessly broken in OpenBSD up to 4.1 (2007) 


        Remotely exploitable buffer overflow vulnerability, due to
        kernel memory design flaw in IPv6.   


        Hey?  Good thing I mentioned it, right, or are you all checking
        the source exploits on each distro tool you use?  Are you all
        keeping up on all that source code in legacy systems?  Script
        kiddies could just be running the python exploit example
        publicized here:
        http://blog.lifeoverip.net/2007/03/14/only-two-remote-holes-in-the-default-install-in-more-than-10-years/ 


        Ref:  http://www.coresecurity.com/content/open-bsd-advisorie 


        4) Quagga bgpd denial of service vulnerability (not just for
        OpenBSD 4.4 or earlier, but it is trivial to update source in
        other distros): 


        http://www.openbsd.org/errata44.html 


        Other distros:  Ref:  http://www.securityfocus.com/bid/17979 


        5) OpenBSD 4.6 BIND dynamic zone update message crash (should
        you need to use BIND on your firewall). 


        http://www.openbsd.org/security.html#46 


        6) Exploit mitigation techniques are very complex. Once you read
        through a well explained example, you will agree, that one
        mitigation technique might not be sufficient.   


        http://www.openbsd.org/papers/ven05-deraadt/index.html 


        Summary: Check your security patch and exploits by release for
        OpenBSD here:   


        http://www.openbsd.org/security.html 


        Be sure to indicate to all your stakeholders that when you take
        down your firewall to implement these fixes EVERYTHING will be
        either down or at risk?  Be sure to dd that original kernel to
        backup before attempting a patch, so you can swiftly roll back?
         Same thing for all the juicy binary sources, running
        unpatched...ignored and constantly under seige! 







                ---------------------------------------------------
                PLUG-discuss mailing list -
                
                To subscribe, unsubscribe, or to change your mail
                settings:
                http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss





        -- 
        Skype: (623)239-3392 
        AT&T: (503)754-4452 
        www.obnosis.com
        http://www.obnosis.com/motivatebytruth/will_work_4_bandwidth.jpg












        ---------------------------------------------------
        PLUG-discuss mailing list - 
        To subscribe, unsubscribe, or to change your mail settings:
        http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss






        ---------------------------------------------------
        PLUG-discuss mailing list -
        
        To subscribe, unsubscribe, or to change your mail settings:
        http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss




--
Skype: (623)239-3392
AT&T: (503)754-4452
www.obnosis.com
http://www.obnosis.com/motivatebytruth/will_work_4_bandwidth.jpg











---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss


---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-ot - I got a call todayRe: off-site backup plan->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)