Linux vs OpenBSD as a router

Lisa Kachold lisakachold at obnosis.com
Wed Oct 21 08:06:48 MST 2009


Gentoo likewise has problematic patch security and package management.  I
have built more than a few of those systems.
OpenBSD of course has less to patch, if installed without all the X.

SLES has inherent kernel security and NX (immunix-style development by
Crispen Cowen), and packages can easily be hardened.

All production use of Linux requires a good understanding of both patch
management and server hardening, especially in a firewall.

My point is, that whatever you choose, especially in a production
environment, a process must be in place to track security issues, and apply
patches with a modicrum of dependence that they will, in fact, work, with
insurance that the downtime will be ONE reboot (for a kernel patch/rebuild).

You know that the day the exploit has been announced, the exploit scripts
are in play?

*Gentoo has horrendous security issues.  Do you know that every port open to
both local networking and external applications is secure?*

http://www.gentoo.org/security/en/glsa/  [Example - I am pretty sure you are
using wget (since it's part of the hand build process {you did build your
gentoo distro by hand didn't you?}) - first thing on the list....possibly
mitigated because you don't have shell users to gain root, but there are a
great many others that are a factor in a firewall application (net/dhcpd).

*How are you going to be alerted tomorrow when the reverse engineers partner
with progress to dissassemble binaries/kernels/SSL entropy while building
metasploit toys/tools to prove their intelligence is worth a book deal or
consulting company?*

On Wed, Oct 21, 2009 at 7:46 AM, Paul Mooring <drpppr242 at gmail.com> wrote:

>  I don't know as much about security as you do, but surely your not
> suggesting that distros like suse or ubuntu or more secure than openbsd.  I
> thought the whole purpose behind openbsd was to make a secure os, as oppose
> to suse for example which I quit using on firewall servers for the security
> issues created from all the unwanted packages installed by default.  Are you
> saying I'm wrong in thinking that by default openBSD/pf has siginificantly
> less security issues than say gentoo/iptables (which is what I'm currently
> using in this set up).
>
> -----Original Message-----
> *From*: Lisa Kachold <lisakachold at obnosis.com<Lisa%20Kachold%20%3clisakachold at obnosis.com%3e>
> >
> *Reply-to*: Main PLUG discussion list <
> plug-discuss at lists.plug.phoenix.az.us>
> *To*: Main PLUG discussion list <plug-discuss at lists.plug.phoenix.az.us<Main%20PLUG%20discussion%20list%20%3cplug-discuss at lists.plug.phoenix.az.us%3e>
> >
> *Subject*: Re: Linux vs OpenBSD as a router
> *Date*: Tue, 20 Oct 2009 19:09:39 -0700
>
>
>
> On Mon, Oct 19, 2009 at 2:46 PM, Paul Mooring <drpppr242 at gmail.com> wrote:
>
>
> I've been running linux routers using iproute2 and iptables for a while
> now, and openBSD just had a new release which has me considering switching
> my home setup to a BSD pf solution.  Does anyone have any experience
> comparing the two?  I guess I'm also concerned about other software I use on
> my linux router not being supported in openBSD (OpenVPN, OpenSwan, and
> Quagga primarily).
>
>
>  Hi!  I agree that pf is easier.  My first copy of FreeBSD was won from
> Defcon 6, answering a question correctly from the crowd, and I proceeded to
> learn about the wonders that are BSD for a command line (and Xterm) systems
> administrator.
>
> But seeing a good number of implementations of both linux and especially
> OpenBSD in the field, I see shameful exploits that have never been patched.
>  I.E. They set it up, (fail to test their rules fully with a full tool suite
> like BackTrack4 [but that is another subject]) and call it functionally
> adequate; the world marches on, and reverse engineers as progress continues,
> yet OpenBSD core kernel exploits (for instance) are never patched (like the
> well known null kernel deference exploit).
>
> Here are the top $n reasons to avoid OpenBSD:
>
> 1) Use a distribution that provides automated source and binary patch
> management or updates like SLES, Redhat, or Ubuntu for your firewall
> source.
>
> http://www.openbsd.org/faq/faq15.html
>
> You are not going to have time to deal with issues brought forth from
> updates and kernel rebuilds on your bastion firewall system.
>
> 2)  Example OpenBSD PF null pointer deference & scapy:
>
>   ------------------------------
>   *PROBLEM:*  OpenBSD PF Remote Denial Of Service Vulnerability Exploiting
> this issue allows remote attackers to cause a kernel panic on affected
> computers, denying further service to legitimate users.   *PLATFORM:* OpenBSD 4.3, 4.4, and 4.5 are affected.
> *ABSTRACT:*  OpenBSDs PF firewall in OpenBSD 4.3 up to OpenBSD-current is
> prone to a remote Denial of Service during a null pointer dereference in
> relation with special crafted IP datagrams. If the firewall handles such a
> packet the kernel panics. The vulnerability resides in 'sys/net/pf.c' in the
> pf_test() function.
>
>
>
> Ref:  http://www.doecirc.energy.gov/bulletins/t-110.shtml
>
> Current release is 4.6, but you can bet there are no proactive patches for
> anything older than April 2009!  Get scapy baby!  Ref:
> http://pentestit.com/2009/09/03/scapy-powerful-interactive-packet-manipulator/
>
> 3) IPV6 wa hopelessly broken in OpenBSD up to 4.1 (2007)
>
> Remotely exploitable buffer overflow vulnerability, due to kernel memory
> design flaw in IPv6.
>
> Hey?  Good thing I mentioned it, right, or are you all checking the source
> exploits on each distro tool you use?  Are you all keeping up on all that
> source code in legacy systems?  Script kiddies could just be running the
> python exploit example publicized here:
> http://blog.lifeoverip.net/2007/03/14/only-two-remote-holes-in-the-default-install-in-more-than-10-years/
>
> Ref:  http://www.coresecurity.com/content/open-bsd-advisorie
>
> 4) Quagga bgpd denial of service vulnerability (not just for OpenBSD 4.4 or
> earlier, but it is trivial to update source in other distros):
>
> http://www.openbsd.org/errata44.html
>
> Other distros:  Ref:  http://www.securityfocus.com/bid/17979
>
> 5) OpenBSD 4.6 BIND dynamic zone update message crash (should you need to
> use BIND on your firewall).
>
> http://www.openbsd.org/security.html#46
>
> 6) Exploit mitigation techniques are very complex. Once you read through a
> well explained example, you will agree, that one mitigation technique might
> not be sufficient.
>
> http://www.openbsd.org/papers/ven05-deraadt/index.html
>
> Summary: Check your security patch and exploits by release for OpenBSD
> here:
>
> http://www.openbsd.org/security.html
>
> Be sure to indicate to all your stakeholders that when you take down your
> firewall to implement these fixes EVERYTHING will be either down or at risk?
>  Be sure to dd that original kernel to backup before attempting a patch, so
> you can swiftly roll back?  Same thing for all the juicy binary sources,
> running unpatched...ignored and constantly under seige!
>
>
>
>
>
>  ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
>
>
>
> --
> Skype: (623)239-3392
> AT&T: (503)754-4452
> www.obnosis.com
> http://www.obnosis.com/motivatebytruth/will_work_4_bandwidth.jpg
>
>
>
>
>
>
>
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>



-- 
Skype: (623)239-3392
AT&T: (503)754-4452
www.obnosis.com
http://www.obnosis.com/motivatebytruth/will_work_4_bandwidth.jpg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20091021/d54cea12/attachment.htm 


More information about the PLUG-discuss mailing list