Text 12537, 267 rader
Skriven 2006-08-13 09:38:56 av /m (1:379/45)
Ärende: Take a closer look at OpenBSD
=====================================
From: /m <mike@barkto.com>
While I think there is some hyperbole in the article, it is a reasonable
overview...
http://www-128.ibm.com/developerworks/aix/library/au-openbsd.html?ca=dgr-lnxw07
OpenBSD
===
OpenBSD is quite possibly the most secure operating system on the planet.
[there's that hyperbole I warned you about - mm] Every step of the development
process focuses on building a secure, open, and free platform. UNIXR and LinuxR
administrators take note: Without realizing it, you probably use tools ported
from OpenBSD every day. Maybe it's time to give the whole operating system a
closer look.
When security is of the utmost importance, it's only logical to look to the
same operating system that spawned today's standard in secure remote access,
OpenSSH (Open Secure Shell). OpenSSH is just one part of OpenBSD, a
distribution that has focused on security from the ground up, accomplishing a
goal of creating a UNIXR-like operating system that is secure by default. This
stand is in contrast to most operating systems today, which require significant
time and energy to harden the environment before going live. In fact, OpenBSD
is so secure that it was once banned for use in a DEF CON competition, where
crackers go after each other's systems.
An overview of BSD
Berkeley Software Distribution (BSD) is one of the oldest and most common
flavors of UNIX. Today, it has been split into multiple versions, with three
common open source distributions leading the way:
FreeBSD
OpenBSD
NetBSD
While FreeBSD is the most widely used of the three distributions, each version
has significant upsides that make choosing the correct solution an important
decision. FreeBSD is the most general of the three and thrives in i386
environments. When security is the highest item on your priority list, OpenBSD
is the right distribution. NetBSD offers a small and extremely portable
alternative, running on a huge variety of architectures.
The OpenBSD audit process
The OpenBSD audit process might be the biggest factor in the consistent
security found in this distribution. A team of experienced developers focused
on auditing each piece of code entered into the source tree. Codes are analyzed
for security flaws as well as bugs in general -- bugs that might not affect
general functionality but could be exploited as security flaws down the line.
Every bug is taken seriously and immediately addressed. This proactive approach
has kept OpenBSD from being susceptible to unknown exploits, which other
distributions have to scramble to cover upon discovery.
OpenBSD: Where and when
Any environment in which security is important makes for a potential OpenBSD
installation. In today's more security-conscious world -- a world in which
computers are connected to the Internet 24x7 -- it's hard not to find a user
who doesn't take security seriously, be it in a home, government, or corporate
environment. Financial juggernauts have been known to rely on OpenBSD to secure
corporate networks and customer records. OpenBSD might not have a huge user
base compared to other UNIX-like operating systems, but it is installed at the
most crucial points of many networks.
OpenBSD, being a close relative of NetBSD, also runs on a wide variety of
hardware. Take a look:
Alpha: Digital Alpha-based systems
amd64: AMD64-based systems
Cat: StrongARM 110 Evaluation Board
hp300: Hewlett-Packard HP 9000 series 300 and 400 workstations
HP/PA: Hewlett-Packard Precision Architecture (PA-RISC) systems
i386: Standard computers based on the IntelR i386 architecture
and compatible processors
luna88k: Omron LUNA-88K and LUNA-88K2 workstations
mac68k: Motorola 680x0-based Apple Macintosh with MMU
macppc: Apple PowerPC-based machines, from the iMac on
mvme68k: Motorola 680x0-based VME systems
mvme88k: Motorola 881x0-based VME systems
SGI: SGI MIPS-based workstations
SPARC: Sun sun4-, sun4c-, and sun4m-class SPARC systems
SPARC64: Sun UltraSPARC systems
VAX: Digital VAX-based systems
Zaurus: Sharp Zaurus C3x00 PDAs
OpenBSD core packages and features
Now that you've determined whether OpenBSD is an option for your hardware
platform, let's take a closer look at some OpenBSD highlights.
OpenSSH
The first package of note is OpenSSH, with which every UNIX and LinuxR user is
familiar. However, many people might not know that it comes from OpenBSD
developers. OpenSSH was originally developed for OpenBSD and has since become
the standard Secure Shell (SSH) package, ported for just about every version of
the UNIX, Linux, and MicrosoftR WindowsR operating systems. OpenSSH includes
ssh for secure logins, scp for secure copies, and sftp -- a secure alternative
to ftp. All source code falls into the open source BSD license, following
OpenBSD's directive to keep all proprietary code and restrictive licensing
schemes out of the distribution (which was the initial impetus to create a new
version of SSH). Every piece of software included in OpenBSD is completely
free, with no restrictions on use.
Cryptography
Because the OpenBSD project is based in Canada, no United States export
restrictions on cryptography apply, allowing the distribution to make full use
of modern algorithms for encryption. Encryption can be found almost everywhere
in the operating system, from file transfers to file systems to networking.
Pseudo-random number generators are also included in OpenBSD, which ensures
that random numbers cannot be predicted based on the system state. Other
features include cryptographic hash functions, cryptographic transform
libraries, and cryptographic hardware support.
Another heavily exported piece of OpenBSD is the IP Security Protocol (IPSec),
which the operating systems uses rather than relying on the inherently insecure
TCP/IP Version 4 (IPV4). (IPV4 chooses to trust just about everybody and
everything.) IPSec encrypts and validates packets to protect the privacy of
data and to ensure that no changes are made to packets during the delivery
process. IPSec became an integral piece of the standard Internet Protocol with
the introduction of TCP/IP Version 6 (IPV6), making the future of the Internet
more secure by default.
OpenBSD as firewall
Because OpenBSD is both thin and secure, one of the most common OpenBSD
implementation purposes is as a firewall. Firewalls operate at the ground level
of most secure locations, and OpenBSD's implementation of packet filtering is
top notch. Packet Filter (PF) -- an open source solution designed by the
OpenBSD development community -- is the OpenBSD method of choice. Like many
other pieces of OpenBSD software, its success has prompted the other BSD
variants to port it into their own distributions.
OpenBSD is set up to be secure by default, so there aren't too many services
that you must turn off to set up a rock-solid firewall. You will have to enable
a second Ethernet interface and configure PF to your needs. See Resources for
links to articles on how to set up an OpenBSD server as a firewall.
Encryption and random numbers
Most operating systems include little or no encryption in key elements, which
creates an inherent lack of security. A big reason for this deficiency is the
simple fact that most operating systems ship from the United States, where
developers aren't allowed to export robust cryptographic software.
Cryptographic hash libraries in OpenBSD include MD5, SHA1, and RIPEMD160.
Cryptographic transform libraries in OpenBSD include Blowfish, Data Encryption
Standard (DES), 3DES, and Cast.
Most of this cryptography operates behind the scenes, keeping users from having
to become experts on cryptography to keep their systems safe. The OpenBSD
development team understands that most administrators aren't experts in
security and shouldn't be expected to jump through hoops to harden their
environment. People who believe that OpenBSD isn't a user-friendly operating
system are largely misinformed. If most administrators spent the time to put
OpenBSD's default security measures in place on any other distribution, they
would likely change their line of thinking.
Random numbers are a key component to making all this security happen. The
OpenBSD kernel uses interrupt information to create a constantly changing
entropy pool that provides data to seed cryptographic functions and provide
numbers for transaction IDs. For instance, pseudo-random numbers are used for
process IDs and packet IDs, which makes spoofing significantly more difficult
for a would-be attacker. OpenBSD even uses random port assignments in bind(2)
system calls. Most UNIX-derived operating systems either create IDs
sequentially or have a simple algorithm that can be exploited by predicting
results.
While the OpenBSD team is still exploring more extensive encryption of the file
system, steps have been taken to encrypt data where possible. The swap
partition is divided into small sections, each encrypted with its own key,
ensuring that sensitive data doesn't leak into an insecure part of the system
-- a common problem on a traditional UNIX- or Linux-based system. If you want
to encrypt user data, you can use Cryptographic File System (CFS) in OpenBSD.
CFS operates at the user level, communicating with the kernel through Network
File System (NFS). The system gives users transparent access to encrypted
directories, so they can choose what data is encrypted without being burdened
by the encrypt/decrypt process.
Note: See Resources for more information about cryptography in OpenBSD.
Installing OpenBSD
Without a full understanding of OpenBSD's benefits, new users might lean toward
a familiar Linux distribution because they're intimidated by the BSD
installation process, which has a reputation of being difficult. While the
installation might not be what most users are accustomed to, this article
provides a quick overview of the process to demonstrate how easy setup can be.
Spending a bit of time to learn about the OpenBSD installation process to save
hours locking down a Linux distribution that isn't secure by default is often
the pragmatic decision.
There are several installation methods, and steps vary by platform. I focus on
a basic CD-ROM installation on an i386 server (for example, a computer running
an IBM server) by creating your own CD set. This process is not documented in
the official FAQ.....
Sounds great, now how do I use it?
In contrast to learning how to secure your system (which already has rational
default settings), there are some steps that you might want to be aware of
before you start administering your system as a new OpenBSD user.
First, by default, no users are included in the wheel group, which means that
an attempt to use the su command will fail. Create new users from the command
line with the adduser command, which leads you through a simple question and
answer session to set up defaults (a one-time process) and to create your first
user.
Say, for example, that you created a user called bsdadmin. If bsdadmin is going
to be your primary administrative account, you want to be able to use the su
command to access the root account quickly. To do this, log in under the root
account, and then edit the /etc/group file to include bsdadmin in the wheel
group. Simply append bsdadmin to the first line (the one that says
wheel:*:0:root).
Second, check the system default settings in the /etc/ directory. Tread
carefully here, as most services are turned off by default for a reason.
OpenBSD uses rc.conf to launch most startup daemons. You'll see that services,
such as httpd and nfs, are turned off by default -- even PF is off. As an
example, you can turn Apache (httpd) on by adding the line httpd=YES to
/etc/rc.conf.
While OpenBSD might not have graphics-based tools to help in system
administration, the OpenBSD developers have given extra attention to providing
extensive, accurate man pages for each component of the operating system. I
recommend that you make liberal use of the stalwart man command any time you're
confused or simply want to learn about a new tool....
Wrap-up
OpenBSD strives to be the most secure UNIX derivation on the planet, and not
much is left to be desired. Design principles, such as code auditing, extensive
use of encryption, and careful configuration choices, combine to ensure
OpenBSD's secure by default philosophy holds true. While it is most common to
find OpenBSD installations in secure servers and firewalls, OpenBSD's wide
hardware and software support makes the operating system suitable for a large
range of purposes. UNIX and Linux gurus alike will find many parts of OpenBSD
familiar, and they will likely appreciate the areas in which it purposely
strays from the pack....
[lots of good links ommitted, see the original article]
===
/m
--- BBBS/NT v4.01 Flag-5
* Origin: Barktopia BBS Site http://HarborWebs.com:8081 (1:379/45)
|