Mark Uemura wrote:
I hope this helps others put forth a good case for
OpenBSD in their working environment.
Overall the presentation is well-done, but I take some exception with
some of your conclusions on slide 34. I know when I talk to a vendor
and get unrealistic comparisons, mentally that vendor is out the door.
DNS: You don't need a dual P3 with 2gb for a DNS server in Windows. If
the server isn't an AD controller, that P3/500 would be plenty. If it
is an AD controller, then the server size depends on how many users you
have, and to offer a good comparison, you'd have to size the OpenBSD
machine for Kerberos and LDAP.
(Same argument for DHCP, if you run a DHCP server on a dual P3, the
server is going to be bored most of the time.)
I also noticed you're comparing a PC to a server. For any OS, a "real"
server will generally be a higher quality and more stable than a PC.
PCs don't have hot-swap drives or power supplies. Again, this isn't a
fair comparison.
Remote access: Windows' built-in Remote Desktop is included with the OS,
you don't need OpenBSD for that. You couldn't do that over your Intel
VPN? Remote Desktop is potentially vulnerable to MITM, but it's
probably more secure than an external web site like GoToMyPC.
You can also install OpenSSH on your Windows machines and manage them
with netsh or a variety of other command-line tools.
Wireless: I'm not sure if Server 2003 can act as an AP, I haven't tried
setting it up. It can, however, provide 802.1X authentication, which
requires less end-user configuration (on Windows clients) than authpf.
VPN: Why the hell does everyone hate the included Microsoft VPN? If you
run an MS shop, it's easy and cheap. That uses IPsec, ISAKMP and PKI.
It also has features to quarantine Windows clients that don't meet your
criteria for system security.
(Yes, the MS PPTP protocol had some weaknesses, but that was 1998.
That'd be like avoiding OpenSSH because the SSH 1.0 protocol had some
weaknesses.)
Web: I assume you had some talking points here, specifically about
privsep and code cleanup in OpenBSD's Apache. The biggest problems with
IIS are from admins enabling it when they don't need to, or using IIS
when another product would do. The Microsoft developers are even
learning to run the web processes as low-privilege processes (Srv 2003
SP1), although third-party developers aren't paying attention.
Besides, you can run Apache on Windows, so the core argument is between
the trunk Apache and OpenBSD's Apache.
IDS: Snort doesn't run on Windows?
Firewall: I'm not familiar with Checkpoint, but their web site
(http://www.checkpoint.com/products/downloads/firewall-1_datasheet.pdf)
says that Checkpoint on Windows requires 256mb RAM and doesn't list
processor requirements. Sounds like somebody just wanted to buy a big
server. There's no good reason to have two processors in a firewall.
Other comments: When you boil it down, the $500 for Server 2003 isn't
really all that expensive for a mid-size or large company. CALs can
make a difference in large companies, but that doesn't really come in to
play here.
You've made a good argument for using OpenBSD as a redundant firewall or
access point, but that's more Cisco's domain than Microsoft's. Maybe
find out if you can set up a redundant file server using OpenBSD/CARP,
and compare that to active/passive Windows server clustering.
Don't use "Micro$oft", it makes you sound like a zealot, and hasn't been
funny since 1992. Well, maybe leave it on slide 25, I like it
contrasted with "ChequePoint".
Avoid relying on cheap hardware to make your cost point. OpenBSD runs
well on "real", modern servers. Managers at mid/large companies aren't
going to want to hear about how you pulled machines out of the trash and
now the business depends on them, even if they're 4x redundant.
Slide 3: The first two paragraphs only preach to the converted. Maybe
add a fourth bullet point, "Your competitors are probably saving money
using it", depending on your audience.
