On Mon, 27 Sep 2010 16:24:14 +0100 - Tethys <tet...@gmail.com> wrote:
> On Sun, Sep 26, 2010 at 11:10 PM, Brad Tilley <b...@16systems.com> wrote: > > > I don't mean this as bashing Linux, just pointing out facts. I think > > history shows that OpenBSD has a better track record here (if that means > > anything to anyone). > > Does it though? The only empirical evidence I've seen is with OpenBSD > running in its default configuration, which I'm not aware of anyone > actually using in the real world. I'd be interested to see how an > OpenBSD web server or firewall fared against the Linux distributions > and commercial unices. The default configuration includes PF with ssh and so as you said OpenBSD as a stateful firewall is far more secure than Linux, I don't think that PF rules count as non default. The OpenBSD apache is said to be more secure but this is irrelevent as the discussion was about exploits in a minimal firewall install and so centered around the kernel, it's not clever to run a web server or antivirus on a firewall, especially once operational. The only possible argument for Linux here is perhaps the ease of updates, but I've never had to update an OpenBSD basic firewall for security reasons and so can lock it down further. Things like memory protection tell you OpenBSD kicks ass. This is confirmed by reports of people getting repeatedly 0wned on ipcop and switching to OpenBSD and not looking back. IMHO the only debate here was does Linux behind OpenBSD increase or reduce the security of the network. This would depend on many factors like what runs on client machines and would differ for different exploits. e.g. running snort may stop an attack against an app behind your firewall but may open your firewall and so whole network upto attack due to a packet parsing bug. Therefore a 1-way cable or running snort on the client or creating bastion hosts would be the right idea, but this is often out of the admins control? Even when they have total control, they usually don't bother, not willing the risk to be blamed and so copy the norm. This is why security is a process and takes a good admin and code.
