Linux vs OpenBSD as a router

Paul Mooring drpppr242 at gmail.com
Thu Oct 22 08:04:41 MST 2009


Please excuse my inexperience here but I'm not sure what you mean.  I
have a script that runs in cron and checks installed packages against
glsa (glsa-check is a app for gentoo) and if there is a security problem
on an installed package it notifies us immediately, because of this
security packages that make it in to portage generally are applied to
systems within the hour when they're released.  However, I'm not sure
what you mean by checking against the patch lists (like I said I'm still
relatively new sys admin in general) is there a better way to go about
security policy for linux servers.

btw, I'm not particularly attached to gentoo so if you or anyone know
another distro better from a sys admin standpoint for staying ahead of
security that would be great.  The above mentioned glsa-check script and
another script allowing most packages to be updated on all servers at
once is the main reason I use it.

-----Original Message-----
From: Lisa Kachold <lisakachold at obnosis.com>
Reply-to: Main PLUG discussion list
<plug-discuss at lists.plug.phoenix.az.us>
To: Main PLUG discussion list <plug-discuss at lists.plug.phoenix.az.us>
Subject: Re: Linux vs OpenBSD as a router
Date: Thu, 22 Oct 2009 00:50:10 -0400

Yes,  my point with wget was/is that it's on ALL distros, so having
package updates is essential.  

If you actually trust portage; or have you had stellar experiences with
gentoo patch updates?

In my historical day(s), portage was replaced by the best gentoo admins
(Dotster for instance, now replaced with CentOs) with custom local
portage server source, due to many issues.

And from my experience, Gentoo admins simply don't patch update.
Honestly, now, do you?  Have you checked your source against the patch
lists?

Point made!

On Wed, Oct 21, 2009 at 12:09 PM, Paul Mooring <drpppr242 at gmail.com>
wrote:
        I definately see what your saying and agree that the most
        important thing is to use a distro or OS that ou have policies
        in place to stay current on patches and updates, but I'm not
        sure I see your point about gentoo security.  It looks to me
        like that link shows a patch in portage where gentoo had fixed
        an issue with wget (before similiar updates where out for suse,
        redhat, or ubuntu) which seems to me to be an indicator of good
        security practices for a distro, and as for as securing open
        ports, I would think you wouldn't open them up in the first
        place without trusting the service on any particular port.
        
        
        
        -----Original Message-----
        From: Lisa Kachold <lisakachold at obnosis.com>
        Reply-to: Main PLUG discussion list
        <plug-discuss at lists.plug.phoenix.az.us>
        To: Main PLUG discussion list
        <plug-discuss at lists.plug.phoenix.az.us>
        Subject: Re: Linux vs OpenBSD as a router
        
        
        Date: Wed, 21 Oct 2009 08:06:48 -0700
        
        Gentoo likewise has problematic patch security and package
        management.  I have built more than a few of those systems. 
        
        OpenBSD of course has less to patch, if installed without all
        the X.   
        
        SLES has inherent kernel security and NX (immunix-style
        development by Crispen Cowen), and packages can easily be
        hardened. 
        
        All production use of Linux requires a good understanding of
        both patch management and server hardening, especially in a
        firewall. 
        
        My point is, that whatever you choose, especially in a
        production environment, a process must be in place to track
        security issues, and apply patches with a modicrum of dependence
        that they will, in fact, work, with insurance that the downtime
        will be ONE reboot (for a kernel patch/rebuild). 
        
        You know that the day the exploit has been announced, the
        exploit scripts are in play? 
        
        Gentoo has horrendous security issues.  Do you know that every
        port open to both local networking and external applications is
        secure? 
        
        http://www.gentoo.org/security/en/glsa/  [Example - I am pretty
        sure you are using wget (since it's part of the hand build
        process {you did build your gentoo distro by hand didn't you?})
        - first thing on the list....possibly mitigated because you
        don't have shell users to gain root, but there are a great many
        others that are a factor in a firewall application (net/dhcpd). 
        
        How are you going to be alerted tomorrow when the reverse
        engineers partner with progress to dissassemble
        binaries/kernels/SSL entropy while building metasploit
        toys/tools to prove their intelligence is worth a book deal or
        consulting company? 
        On Wed, Oct 21, 2009 at 7:46 AM, Paul Mooring
        <drpppr242 at gmail.com> wrote: 
        
                I don't know as much about security as you do, but
                surely your not suggesting that distros like suse or
                ubuntu or more secure than openbsd.  I thought the whole
                purpose behind openbsd was to make a secure os, as
                oppose to suse for example which I quit using on
                firewall servers for the security issues created from
                all the unwanted packages installed by default.  Are you
                saying I'm wrong in thinking that by default openBSD/pf
                has siginificantly less security issues than say
                gentoo/iptables (which is what I'm currently using in
                this set up).
                
                
                -----Original Message-----
                From: Lisa Kachold <lisakachold at obnosis.com>
                Reply-to: Main PLUG discussion list
                <plug-discuss at lists.plug.phoenix.az.us>
                To: Main PLUG discussion list
                <plug-discuss at lists.plug.phoenix.az.us>
                Subject: Re: Linux vs OpenBSD as a router
                
                
                Date: Tue, 20 Oct 2009 19:09:39 -0700
                
                
                
                On Mon, Oct 19, 2009 at 2:46 PM, Paul Mooring
                <drpppr242 at gmail.com> wrote: 
                
                        I've been running linux routers using iproute2
                        and iptables for a while now, and openBSD just
                        had a new release which has me considering
                        switching my home setup to a BSD pf solution.
                        Does anyone have any experience comparing the
                        two?  I guess I'm also concerned about other
                        software I use on my linux router not being
                        supported in openBSD (OpenVPN, OpenSwan, and
                        Quagga primarily).
                        
                
                Hi!  I agree that pf is easier.  My first copy of
                FreeBSD was won from Defcon 6, answering a question
                correctly from the crowd, and I proceeded to learn about
                the wonders that are BSD for a command line (and Xterm)
                systems administrator. 
                
                But seeing a good number of implementations of both
                linux and especially OpenBSD in the field, I see
                shameful exploits that have never been patched.  I.E.
                They set it up, (fail to test their rules fully with a
                full tool suite like BackTrack4 [but that is another
                subject]) and call it functionally adequate; the world
                marches on, and reverse engineers as progress continues,
                yet OpenBSD core kernel exploits (for instance) are
                never patched (like the well known null kernel deference
                exploit). 
                
                Here are the top $n reasons to avoid OpenBSD:  
                
                1) Use a distribution that provides automated source and
                binary patch management or updates like SLES, Redhat, or
                Ubuntu for your firewall source.  
                
                http://www.openbsd.org/faq/faq15.html 
                
                You are not going to have time to deal with issues
                brought forth from updates and kernel rebuilds on your
                bastion firewall system. 
                
                2)  Example OpenBSD PF null pointer deference & scapy: 
                
                
                ____________________________
                PROBLEM:
                OpenBSD PF Remote Denial Of
                Service Vulnerability
                Exploiting this issue allows
                remote attackers to cause a
                kernel panic on affected
                computers, denying further
                service to legitimate users.
                PLATFORM:
                OpenBSD 4.3, 4.4, and 4.5
                are affected.
                ABSTRACT:
                OpenBSDs PF firewall in
                OpenBSD 4.3 up to
                OpenBSD-current is prone to
                a remote Denial of Service
                during a null pointer
                dereference in relation with
                special crafted IP
                datagrams. If the firewall
                handles such a packet the
                kernel panics. The
                vulnerability resides in
                'sys/net/pf.c' in the
                pf_test() function.
                
                
                
                
                Ref:
                 http://www.doecirc.energy.gov/bulletins/t-110.shtml 
                
                Current release is 4.6, but you can bet there are no
                proactive patches for anything older than April 2009!
                 Get scapy baby!  Ref:
                 http://pentestit.com/2009/09/03/scapy-powerful-interactive-packet-manipulator/ 
                
                3) IPV6 wa hopelessly broken in OpenBSD up to 4.1
                (2007) 
                
                Remotely exploitable buffer overflow vulnerability, due
                to kernel memory design flaw in IPv6.   
                
                Hey?  Good thing I mentioned it, right, or are you all
                checking the source exploits on each distro tool you
                use?  Are you all keeping up on all that source code in
                legacy systems?  Script kiddies could just be running
                the python exploit example publicized here:
                http://blog.lifeoverip.net/2007/03/14/only-two-remote-holes-in-the-default-install-in-more-than-10-years/ 
                
                Ref:
                 http://www.coresecurity.com/content/open-bsd-advisorie 
                
                4) Quagga bgpd denial of service vulnerability (not just
                for OpenBSD 4.4 or earlier, but it is trivial to update
                source in other distros): 
                
                http://www.openbsd.org/errata44.html 
                
                Other distros:  Ref:
                 http://www.securityfocus.com/bid/17979 
                
                5) OpenBSD 4.6 BIND dynamic zone update message crash
                (should you need to use BIND on your firewall). 
                
                http://www.openbsd.org/security.html#46 
                
                6) Exploit mitigation techniques are very complex. Once
                you read through a well explained example, you will
                agree, that one mitigation technique might not be
                sufficient.   
                
                http://www.openbsd.org/papers/ven05-deraadt/index.html 
                
                Summary: Check your security patch and exploits by
                release for OpenBSD here:   
                
                http://www.openbsd.org/security.html 
                
                Be sure to indicate to all your stakeholders that when
                you take down your firewall to implement these fixes
                EVERYTHING will be either down or at risk?  Be sure to
                dd that original kernel to backup before attempting a
                patch, so you can swiftly roll back?  Same thing for all
                the juicy binary sources, running unpatched...ignored
                and constantly under seige! 
                
                
                
                
                
                
                        ---------------------------------------------------
                        PLUG-discuss mailing list -
                        PLUG-discuss at lists.plug.phoenix.az.us
                        To subscribe, unsubscribe, or to change your
                        mail settings:
                        http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
                
                
                
                
                -- 
                Skype: (623)239-3392 
                AT&T: (503)754-4452 
                www.obnosis.com
                http://www.obnosis.com/motivatebytruth/will_work_4_bandwidth.jpg
                
                
                
                
                
                
                
                
                
                
                
                ---------------------------------------------------
                PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
                To subscribe, unsubscribe, or to change your mail settings:
                http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
                
                
                
                
                ---------------------------------------------------
                PLUG-discuss mailing list -
                PLUG-discuss at lists.plug.phoenix.az.us
                To subscribe, unsubscribe, or to change your mail
                settings:
                http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
        
        
        
        
        -- 
        Skype: (623)239-3392 
        AT&T: (503)754-4452 
        www.obnosis.com
        http://www.obnosis.com/motivatebytruth/will_work_4_bandwidth.jpg
        
        
        
        
        
        
        
        
        
        
        
        
        ---------------------------------------------------
        PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
        To subscribe, unsubscribe, or to change your mail settings:
        http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
        
        
        
        
        
        ---------------------------------------------------
        PLUG-discuss mailing list -
        PLUG-discuss at lists.plug.phoenix.az.us
        To subscribe, unsubscribe, or to change your mail settings:
        http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss



-- 
Skype: (623)239-3392 
AT&T: (503)754-4452 
www.obnosis.com
http://www.obnosis.com/motivatebytruth/will_work_4_bandwidth.jpg











---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20091022/38015db0/attachment.htm 


More information about the PLUG-discuss mailing list