OSes like OpenBSD, FreeBSD, and major Linux distributions are all well within the range of popularity where obscurity does not provide security, particularly considering the similarities between these systems, the commonality of software between them, and their ubiquity as Internet-connected server systems. Couple this with the fact that — in the case of open source projects like Linux distributions and open source BSD Unix systems — the matter of security through visibility is a significant factor, and the accidental security through obscurity argument starts looking pretty thin. … Why does it matter if that’s the reason something like NetBSD suffers fewer security breaches per system in play than MS Windows, or even MacOS X? Isn’t the important factor, for security purposes, that a system is less likely to be breached? [From The value of accidental security through obscurity]
Browsing Posts in BSDs
FreeNAS makes it easy to add storage to home networks:
FreeNAS is a small, powerful, full-featured implementation of FreeBSD as a network-attached storage device. (It also happens to be January’s Project of the Month at SourceForge.net.) If you’re a Linux user like me, the BSD-speak used for devices and such might give you pause, but other than that small caveat, installation and usage shouldn’t be a problem. It’s powerful enough to be used in the enterprise, but it’s friendly enough so that even a typical home office user can take advantage of it. Here’s how I created an easy-to-use NAS device for rsync backups and FTP server on my LAN.
Build your own gateway firewall:
Learn how to build your own gateway firewall using FreeBSD and old PC parts. The firewall will consist of the PF firewall, Snort IDS, various IPS applications, Squid proxy, and some intuitive web interfaces for auditing. The cost of this project should be between free and $200 depending on your resourcefulness. I built mine for free using spare parts that were stockpiled in personal storage and parts that the USMC was throwing away, but you can build one from used and/or new parts for dirt cheap.
One of the main reasons that I’m so involved with Open Source is that I’ve always been fascinated by figuring out how things work. In this interview, John Baldwin of the FreeBSD project gives some insight on what it is like to be a FreeBSD developer and some of the things that happen behind the scenes of a large Open Source project.
Setting up Linux compatibility on FreeBSD 6:
As a FreeBSD desktop user I occasionally feel left out when it comes to the availability of applications, particularly desktop applications or binary-only browser plugins produced by commercial closed source vendors. Sometimes a good alternative lurks in the vast FreeBSD ports collection, but not always. The version available may lag a couple of revisions behind what I need, or the port might exclude my particular architecture. Fortunately, FreeBSD can run binaries and shared libraries that have been compiled for Linux and other Unix ABIs (such as SVR4 and SCO).
Interview: Theo de Raadt of OpenBSD:
Theo de Raadt is the project leader for OpenBSD, a Unix-like operating system. We spoke with Theo about the upcoming release of OpenBSD, 3.9, the financial state of the project, and about companies that profit from free software without contributing back.
Virtualization with FreeBSD Jails:
Consolidating several small machines into one powerful one has advantages in administration and resource usage. It also has implications for security and encapsulation. FreeBSD’s jails feature allows you to host multiple separate services on a single machine while keeping them securely separate. Dan Langille shows how.
This short article looks at how to get a fully functional IPSec VPN up and running between two fresh OpenBSD installations in about four minutes flat.
Until recently, setting up an open-source IPSec solution has been woefully complex and involved wading through an alphabet soup of committee-designed protocols. Many people give up on IPSec after their first peek at the horrible and complex software documentation, opting instead to install some sort of commercial SSL VPN which seems much simpler. For those who have been through this exercise, a jumble of SAs, ESPs, AHs, SPIs, CAs, certs, FIFOs, IKEs and policy jargon inside RFCs is enough to give anyone a headache. However, there is good new on the IPSec front: it has all finally been covered up with a nice, simple way to set it up under OpenBSD.
Several people wrote in about Jason Miller’s article “How not to respond to a security advisory” in a SecurityFocus opinion column. The short version is that a recent advisory shows that root can temporarily replace system immutable files by mounting over them. That’s not a shockingly new discovery (some people would even expect that to be the case), but Jason took offense in Theo’s vendor reply, which reportedly was “Sorry, we are going to change nothing. Securelevels are useless.”
Creating secure wireless access points with OpenBSD and OpenVPN:
You know how insecure 802.11x wireless networks are. In this article we’ll create an OpenBSD-based secure wireless access point that prevents unauthorized access and encrypts every packet using a VPN tunnel. OpenBSD is one of the most secure operating systems available, is easy to use, and includes almost everything you need for this project in the base installation.
The official release announcement will soon appear. The OpenBSD team has released version 3.8 right on time, as usual.
Column: OpenBSD’s network stack:
Federico Biancuzzi: OpenBSD’s network stack
Column: Security-related innovation in Unix:
Jason Miller: Security-related innovation in Unix
m0n0wall is a project aimed at creating a complete, embedded firewall software package that, when used together with an embedded PC, provides all the important features of commercial firewall boxes (including ease of use) at a fraction of the price (free software). m0n0wall is based on a bare-bones version of FreeBSD, along with a web server, PHP and a few other utilities. The entire system configuration is stored in one single XML text file to keep things transparent. m0n0wall is probably the first UNIX system that has its boot-time configuration done with PHP, rather than the usual shell scripts, and that has the entire system configuration stored in XML format.
OpenBSD-based web application firewall:
Srebrenko Sehic writes:
Just wanted to let you guys know that Armorlogic is using OpenBSD as the core of it’s new web application firewall product called Profense. When choosing an operating system to base Profense on, we didn’t even have to think about others. OpenBSD gives us complete freedom to re-use the code as we like, unparalled stability, security, robustness, and a clean code base. If you are interested, check out our website at www.armorlogic.com for more information about Profense. You can also download a free evaluation version.
Jennifer Granick blog feelings on
the subject
