[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: When would you NOT use OpenBSD?
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: When would you NOT use OpenBSD?
- From: "Chris 'Xenon' Hanson" <xenon_(_at_)_3dnature_(_dot_)_com>
- Date: Wed, 05 Apr 2006 10:58:41 -0600
I run OpenBSD for almost anything that is exposed to insecure digital spaces, like the
Internet, that needs to be seriously hardened. I run and Linux (or god forbid, Windows) on
servers that can be a little "soft" because they are only exposed to "trusted" access.
My company's main websites are run on hosted servers that we don't directly control the
OS of. I believe they are running on Debian 3.1 GNU/Linux systems, and I am satisfied with
the expertise of those responsible for running them, so it's not my issue.
My router/firewall/VPN box is OpenBSD. It is the gateway to all the "soft" bits on my
intranet. The intranet server runs Linux (Slackware), for multiple reasons. Generally you
have a wider applications base and possibly easier access to more modern versions of
tools, and more people who have expertise to draw upon. Also, there are some performance
reasons, it being an SMP machine.
There are two exceptions to the hard/soft rule. There are two tunnels through the
hardened OBSD gateway into "soft" Linux servers: Mail and DMZ HTTP.
For architectural reasons, my SMTP server runs on the "soft" Linux intranet server.
However, I run qmail, a piece of software written by someone who is equally concerned
about code quality and security as the OpenBSD team themselves. I am generally confident
that exposing access to qmail on a "soft" Linux system is not a point of failure. If an
exploit were found in qmail, I would need to move quickly to resolve it since Linux does
not have nearly as much exploit-prevention architecture as OpenBSD.
The second soft hole is access to a Linux-based low-load webserver running in my
network DMZ. I chose Linux here to have wider access to more modern webserver software and
applications. Due to the higher potential for exploitation, this machine is walled off
into a DMZ with no access to the Intranet. It is remotely backed up by a revision tracking
system on a daily basis so that it can be rebuilt or rolled back to a known good state if
it is compromised.
There are a couple of Windows remote-desktop machines and an ancient Windows fax server
lurking in the intranet zone, but they aren't allowed to speak to the outside world except
via secure VPN connections established and controlled by the OpenBSD gateway.
Use systems of trusted security (OpenBSD and/or qmail) whenever compromise would be
expensive. Allow less hardened systems only where compromise is not likely (intranet), or
not costly (DMZ).
Chris 'Xenon' Hanson | Xenon @ 3D Nature | http://www.3DNature.com/
"I set the wheels in motion, turn up all the machines, activate the programs,
and run behind the scenes. I set the clouds in motion, turn up light and sound,
activate the window, and watch the world go 'round." -Prime Mover, Rush.
Visit your host, monkey.org