gill wrote:
> Why not FreeBSD?
>
> What is the level of trust/distrust for this OS among you, the security
> community?
I'll admit I'm not a fan of the *BSD UNIXes, but then for security
reasons and disenchantment with how bloated a simple Linux install
can be. I decide to look into the *BSD UNIXes a couple of weeks
ago. I settled on OpenBSD for my web server, and may also use it
for my router too. It was simple to strip it down to a bare bones
system that only has the minimal stuff needed for web serving. I'm
now in the process of building scripts to build a chroot environment
for Apache to run in. As for using it as a router, I haven't decided
yet. It's core network code is from the same set as FreeBSD and
NetBSD so it should have the same set of capabilities. I'm wondering
if I can get the FreeBSD Drawbridge Patches
(http://drawbridge.tamu.edu/)
to work on OpenBSD. One of the things I like about OpenBSD is most
of the security stuff like encryption is incorporated in the kernel
and utilities. I don't have to get separate packages to add that
functionality in. (OpenBSD development is hosted in Canada so it can
get around the US export restrictions on cryptography.)
As with any router/firewall code hosted on an OS, you need to secure
the host OS before you will get any sort of security out of the
router. From my evaluations, I decided that OpenBSD was likely the
easiest to secure. The reason being they have a policy of having most
daemons disabled on install, and they have also done allot at finding
and fixing possible security flaws as well as dealing with the known
ones. As a default they have named setup to run in a chroot environment
if you decide to enable it. This is a significant testimony as to how
much they desire security over going with a "standard" implementation.
When a program or service could be enabled with or without security,
they chose to make the secure mode the default.
As a side note I've heard that there is a similar project going on to
make a highly secure Linux, but it has yet to release a distribution.
--
| Bryan Andersen | [EMAIL PROTECTED] | http://softail.visi.com |
| Buzzwords are like annoying little flies that deserve to be swatted. |
| -Bryan Andersen |
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
