OpenBSD Journal

Making a Living Saving the Government Money

Contributed by jose on from the action dept.

Newsforge was recently running an interesting article on an infrastructure contractor who uses Open Source software heavily. Among the many thiings they are using, OpenBSD firewalls appeared to be heavy on their list. The article goes on to discuss the other components they build upon, adding their own software to the system. An interesting quote from the article, the Feds hired a company called AtStake to perform an independent penetration test, and they gave devIs an excellent bill of health."

Secure, functional, open, all of the principles of OpenBSD in action for someone.

(Comments are closed)


Comments
  1. By Anonymous Coward () on

    It is a too bad so many people feel that OpenBSD is to be used only as a firewall. Quite frankly, any other 'ix running a packet-filter and no network services of any kind would be as secure as an OpenBSD box similarly configured. The security benefits of OpenBSD over other OS's really only come into play when it is used for network services (where it may serve to prevent or mitigate a hack of an exposed service). This whole trend doesn't instantly say 'clueful' to me -- even though all exposure is, I suppose, beneficial to OBSD in general.

    (N.B. Yes, I do realize that some software currently is better run on other OSs for compatibility or performance reasons -- I'm not saying OBSD is always the right choice or really commenting on this particular business's practices, just the OBSD = firewall idea in general.)

    Comments
    1. By anders () on

      imho, what tends to happen is that companies will have pre-existing infrastrucure with respect to what software runs their webservers/mail/workstations etc.

      when pressure is put on the IT people or consultants to secure the network a bit, it is a lot cheaper but still effective to install some secure firewalls and routers, so people look to openbsd. changing everything to obsd (which of course we would certainly be in favor :) costs more and is often not needed, as least from management's standpoint.

      thus obsd is seen most frequently as a firewall os, when it really is a lot more.

    2. By garbonzo () on

      Associating OpenBSD with firewalls is a great way for OpenBSD to carve out a niche for it's self. Once its established, all that needs to be done is for Theo and all to make some bitching applications that cater to other problem domains. Looking at their track record for the past year or so indicates that this is plausible. Finally, we should all use the slogan "OpenBSD: it's not just for firewalls anymore" once things are released.

      Comments
      1. By Grant () gbayley at wiretapped dot net on http://www.wiretapped.net/~gbayley/

        Or here's a nice line, maybe for /etc/motd use, with apologies to Heckler and Koch, who use this as their unofficial slogan:

        In a world of compromise, some don't.

    3. By Anonymous Coward () on

      I agree with you. I've used openbsd as a desktop operating system. It is wonderful. Easy install, little difficult to get X up and running but once I did that it was great. I'll be returning to OpenBSD once mozilla and OpenOffice run without jumping through hoops. It was faster than the Mandrake/Linux that I'm using right now, and prettier. Just not enough of the stuff I use every day.

    4. By Anonymous Coward () on

      It is a too bad so many people feel that OpenBSD is to be used only as a firewall.

      I agree. Put a perfect firewall in front of an unpatched IIS web server and you've solved almost nothing. I'm not an expert, but my approach is to run Apache on the OpenBSD box as well, so that even if someone finds a web server vulnerability they hopefully will have a relatively difficult time rooting the box. Once the non-executable stack code is rolled in this strategy should be pretty solid, I think.

      Comments
      1. By Anonymous Coward () on

        this stategy works better if no one else is using oBSD.

        because there are a lot of apache installations on linux, people will know how to exploit them. The same (future) bugs (may) exist on oBSD, but you are less likly to be attacked because no one can be bothered.

        the conterpoint is....
        all the stack protection, non-exec pages and systrace limit the worth of a oBSD machines compromise to such a level that we probably do not care much. Although a DoS against high profile sites / services appears to be enough for people to be bothered.

    5. By mra () on

      I'd have to disagree. I run an enviroment where I am luck enough to have OpenBSD on all the major network services. That being said I think even if it were *only* on the firewall I'd have a nice degree of protection by scrubbing all the incoming packets, adding to the randomness of the outgoing sequence numbers, and forcing communication to only go over certain ports. Yes, almost all firewalls can do that last item, some can even do the second, but few support the first.

      In the case of running an unpatched IIS server behind an OpenBSD firewall I again have to say that there is a much better level of protection. The code red may be able to come in, but it can't go out. Same with the OpenSSH bug. I actually didn't patch my firewall right away because the exploit as it was released could not take advantage of my network. The only port going out on that machine already had the ssh daemon bound to it, so Gobbles' shell bound to port 128 did nothing.

      Lastly I'd have to say that once the local IT staff find out how easy and inexpesive OpenBSD is they will tend to move it off the firewall and set it up as the internal dns, or dhcp server. No they aren't going to run Oracle on it, but they do start to realize that they can use it for more.

      Comments
      1. By Michael Anuzis () on

        "I actually didn't patch my firewall right away because the exploit as it was released could not take advantage of my network. The only port going out on that machine already had the ssh daemon bound to it, so Gobbles' shell bound to port 128 did nothing."

        Very bad security practice. There were *two* exploits released to my knowledge, one that bound to port 128 (which was not the gobbles one) and one that did *everything* on port 22. You're just lucky you didn't get nailed! And to think the thing at stake was root access on that corporate network! When you know something is vulnerable PATCH IT!

        Comments
        1. By Michael Anuzis () on

          Example showing Gobble's ssh exploit does in fact deal with port 22 alone:

          http://www.lucidic.net/whitepapers/manuzis-7-5-2002-1.jpg all on port 22, and this is on an OBSD box behind an OBSD firewall! It still got hacked!

          http://www.lucidic.net/whitepapers/manuzis-7-5-2002-13.txt script of the actual Gobbles exploit being used. Firewalls won't do a thing when they're still allowing traffic to vulns like this.

          Comments
          1. By Matt Van Mater () on

            yeah but if port 22 was already bound, would this exploit be able to send a kill signal to the service and then start its own code? I'm not familiar with the exploit so I'm not aware of its abilities.

            Sometimes you have to wait a short while before you apply patches. You should really test them as best as possible in a non production environment before you go live with something new (yeah we all knew this already).

            Comments
            1. By Anonymous Coward () on

              I think the problematic is resumed in two questions:
              Do I want access to my box but take the risk to give root access to any script kiddie?
              or
              Do I want to take the risk of losing access to my machine and being sure noone else uses my firewall?

              Sincerly, I do not understand how a patch to ssh could have affected your production system... or maybe you use your firewall for something else... which would be worse to leave unpatched.

              Anyway, just my 2 francs CFA

    6. By Chris Humphries () chumphries@drauku.net on http://drauku.net

      sorry, but for me, openbsd just isnt good enough for a workstation. till it can provide me with all the apps that others can, i will have to say no thanks.

      i dont like having to hack up something just to get it to work when it works everywhere else in the world fine (openoffice, mozilla).

      some people are fine with all that kde offers or netscape 4, and just some terms, which is totally cool. i am not saying that openbsd isnt a great os for the desktop, i am saying that it just isnt for me.

      i think openbsd having the nitch of firewalls and routing boxes is a good nitch to be. i dont think this is a problem. i mean the idear of people not thinking that openbsd is good enough for the desktop shouldnt totally come as a shock, as it doesnt provide the programs that others do (and i wont name names).

      it is your OS, do what you want with it. i use many os's and i am fine with it, each has it's own pros and cons. as much as one would like for people to use openbsd for the desktop, that choice is for the user to make, not everyone else.

      :)

      thanks,
      chris

  2. By Chris Humphries () chumphries@drauku.net on http://drauku.net

    We use opensource because it is the best we can offer our clients. It is flexible, cheap (free), and allows us to code anything how we see fit. Not being bound to a particular environment has proved to be a very good approach. I would like to stress that clients come first, and from evaluating existing technologies, just happens that many opensource projects fit the bill.

    We are constantly evaluating technology, and certianly not bound by any one thing. If we think it is the best for us to provide what the client demands, then we will use it. Just happens that opensource has been the right choice.

    (note: what i say does not officially represent the firm, just my opinions)

    thanks,
    chris

    Comments
    1. By Anonymous Coward () on

      god you're a dork

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]