Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Latest News
    • Servers

    OpenBSD Gets Harder to Crack

    By
    Timothy Dyck
    -
    June 2, 2003
    Share
    Facebook
    Twitter
    Linkedin
      EXECUTIVE SUMMARY
      OpenBSD 3.3

      Organizations deploying firewalls or virtual private networks—and preferring to do so on servers rather than dedicated appliances—should consider the highly secure and easy-to-configure OpenBSD. The operating systems security track record embarrasses all others, and this release continues to advance the state of the art in attack defense. The product is free to download, or a CD set can be ordered for $40.

      KEY PERFORMANCE INDICATORS

      USUABILITY

      GOOD

      CAPABILITY

      EXCELLENT

      PERFORMANCE

      GOOD

      INTEROPERABILLITY

      GOOD

      MANAGEABILITY

      FAIR

      SCALABILITY

      POOR

      SECURITY

      EXCELLENT

      • PRO: Unmatched security track record; secure-out-of-the-box deployment; packet filter provides complete traffic filtering features, along with traffic shaping and load balancing; the latest in buffer overflow prevention technology with ProPolice and page-level memory permissions.
      • CON: Update mechanisms are labor-intensive for system administrators; memory protection features not currently available on x86 CPUs; no mandatory access control features to limit the power of root-level exploits; not well-supported by commercial server software vendors.

      EVALUATION SHORT LIST
      • Security-oriented Linux distributions • Hardware appliances • Trusted OS add-ons

      On the security field, nothing is quite as revealing—or as taxing—as the passage of time.

      By that measure in particular, the OpenBSD development teams OpenBSD operating system stands out. The latest OpenBSD 3.3 release, which started shipping early last month, arrives with even stronger attack defenses coupled with an amazing record of just a single remotely exploitable vulnerability in more than seven years, the best security track record for any general-purpose operating system around.

      eWEEK Labs has used past versions of OpenBSD for a number of years in our lab for network firewalls as well as in OpenHack security tests and have come to trust the products rock-solid reliability and secure-out-of-the-box configuration. Its free to download or $40 for a CD version.

      This release improves the packages already-powerful network filtering features with the addition of bandwidth preallocation, selective traffic prioritization and load balancing.

      For network firewall or router deployments, OpenBSD provides a secure, easy-to-configure option, while still supporting the deployment of general-purpose network server applications such as The Apache Software Foundations HTTP Server or Internet Software Consortiums BIND (Berkeley Internet Name Domain) name server. (Apache 1.3.27 and BIND 9.2.2 are installed on OpenBSD 3.3 by default.)

      Although OpenBSD has a generous set of prebuilt software packages available for it (installing KDE, or K Desktop Environment, 3.1 was very straightforward), it is not well-supported by commercial server software vendors the way Linux, Windows or Solaris is. It also doesnt support more than one CPU per server.

      Keeping an OpenBSD system up-to-date is also very demanding for system administrators. Configuration files in /etc need to be manually migrated during version upgrades (which ship every six months), and security patches are released only in source code form. A binary patch distribution tool would make it much easier to deploy OpenBSD systems in larger numbers.

      Overflow Attack Protection

      OpenBSD 3.3 enables by default ProPolice, an application buffer overflow protection mechanism developed by IBM Research. To get this protection, users need to compile applications with the ProPolice-equipped GNU Compiler Collection compiler that comes with OpenBSD or use just the already-protected applications that ship with OpenBSD.

      OpenBSD 3.3 adds page-level memory permissions (on SPARC, Alpha and PA-RISC CPUs) that mark each memory page as either writable or executable (but not both at once), to make it harder for an attacker to write attack code into a memory location and execute it.

      Unfortunately, this feature isnt provided on x86 or PowerPC chips yet, although its planned for the OpenBSD 3.4 release.

      The OpenBSD project has made a decision against trusted-operating-system-style mandatory access controls that place kernel-enforced limits on what particular processes or users can do. “People who use such things build systems which cannot be administered later,” said Theo de Raadt, OpenBSD project leader, in Calgary, Alberta. “I am holding the fort against such complexity.”

      However, while mandatory access controls do make systems harder to administer, weve found the approach a very powerful defense in tests and would welcome the option to use these techniques with OpenBSD.

      OpenBSDs excellent packet filter, pf, is a big attraction of the platform because it provides such comprehensive firewall features coupled with a concise yet simple configuration file format.

      This release updates pf with traffic-shaping features that let administrators devote a set amount of bandwidth or a relative percentage of bandwidth to particular types of traffic or particular users. It also lets administrators prioritize selected types of traffic.

      West Coast Technical Director Timothy Dyck is at timothy_dyck@ziffdavis.com.

      Timothy Dyck
      Timothy Dyck is a Senior Analyst with eWEEK Labs. He has been testing and reviewing application server, database and middleware products and technologies for eWEEK since 1996. Prior to joining eWEEK, he worked at the LAN and WAN network operations center for a large telecommunications firm, in operating systems and development tools technical marketing for a large software company and in the IT department at a government agency. He has an honors bachelors degree of mathematics in computer science from the University of Waterloo in Waterloo, Ontario, Canada, and a masters of arts degree in journalism from the University of Western Ontario in London, Ontario, Canada.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×