Blog article: "Security : OpenBSD VS FreeBSD"

Reading this article is like turning a knife in a wound which is pf(4).
If I remember it well (and please correct me if I'm wrong) PF in FreeBSD mutated to a fork for performance reasons and is stuck catching up the development in OpenBSD due to this.
If a product is designed to security and then is altered for performance reasons, life experience tells that problems are to be expected the one or other way.
To me it is like hubris forking something and then staying short of further maintenance. I'd appreciate it if someone maintaining/developing PF on FreeBSD come up with some words on this matter.

Do grep -B1 -A4 OpenBSD /usr/src/UPDATING look at the date and cannot be happy.
 
Indeed very interesting links! Thank you gkbsd

Kristian Kræmmer Nielsen boils it down to this: https://lists.freebsd.org/pipermail/freebsd-current/2014-July/051234.html

As long as someone plans running FreeBSD on multicore computers and/or using IPv6 on that with PF that thread on the mailing list should have been read.

The PF situation is recognized (by too few?), but looks like there is no action to be expected soon:

Pragmatic view on this:
* missing funds
* missing manpower
resulting in a prognosis that could not be worse.

I'm wondering why the PF situation is not actively used by the FreeBSD foundation to raise funds?

Anyway the situation needs ongoing attention as there are no signs of action noticeable, and perhaps more pressure on those making decisions. Decisions that are overdue.
 
This was quite a fascinating read. Kudos to the author for putting together such a comprehensive piece. No where else are these two so adequately compared. There was a Swedish master thesis from 2006 that still seems to be available http://www.diva-portal.org/smash/get/diva2:5365/FULLTEXT01.pdf perhaps some might be interested.

One question that I do have, what does all of this mean for pfSense? As far as I am familiar it is based on FreeBSD.
 
gkbsd said:
One question that I do have, what does all of this mean for pfSense? As far as I am familiar it is based on FreeBSD.
Click to expand...
In the short to medium term all above means nothing to pfSense as pfSense people chose long time ago to pretend that OpenBSD doesn't exist. Such a state of affairs is not in small part due to the distaste of OpenBSD community (which I am part of) for the projects like pfSense. pfSense according to main stream OpenBSD view adds nothing (I will come back to that claim in the moment) to the value of PF functionality but is just trying to lower the entry bar for new users by using stupid PHP interface. That has an additional negative effect of shielding end users from the internals of PF and in some sense discouraging them to properly learn PF before deploying it. In reality as all of us know OpenBSD does exist and PF is a brain child of OpenBSD developers. In reality pfSense people are not just PHP coders but also real network guys who realized a while ago the value of guided installation and appliance. pfSense guys have bunch of PF patches for FreeBSD version of PF not all of which were available in vanilla FreeBSD. They also have a very good documentation. Recently they switched from 8.xxx to FreeBSD 10.1 so now they work with the latest and greatest code base. I find pfSense book great addition to the Book of PF. Officially their long standing explanation for picking up FreeBSD over OpenBSD as a base of their network appliance has been that "FreeBSD has so much better network performance and PF works so much better on FreeBSD". Although I use only vanilla OpenBSD on my firewalls I learned a lot about monitoring of my network from reading pfSense documentation. I personally have no problem with their business model (selling small network appliances) and making money of consulting/books as they are true open source project.
On another hand OpenBSD core people will probably never change their attitude which is still better than what happen with the ComixWall an Internet Security Gateway which was based on OpenBSD. ComixWall was shut down when the author was publicly mocked and flamed on misc@openbsd for announcing the release of his network applience.

There is another firewall appliance based of FreeBSD called m0n0wall. It is based on infamous Darren Read's IPFilter. m0n0wall is specialized for embedded devices. The base of m0n0wall is nanoBSD. The author was never shy to admit that he is just a PHP coder. The greatest contribution to BSD ecosystem which came from m0n0wall was the fact that its PHP interface was base for several FreeBSD appliances most notably original FreeNAS which later split into Linux based OpenMediaVault, NAS4Free, and iXsystem's FreeNAS (which is completely rewritten from scratch and my favorite NAS appliance hands down with great features not too useful for home user though anymore due to the hardware requirements).

Any how going back to your original question. If PF gets removed from FreeBSD which would not be unexpected for people like me who were warning for a long time that PF is not really portable (unlike OpenSSH or OpenSMTPD for example) and that requires real love on FreeBSD not FreeBSD specific patches which create pseudo-fork then pfSense will find itself without the base. They might chose to use OpenBSD as a base (I am not sure how difficult would be that but certainly would not be easy). They might decide to switch to IPFW or they might even pay a developer to develop modern firewall solution for FreeBSD (something like NPF for NetBSD). Personally having some familiarity with IPFW when it was used by OS X I would strongly favor the last option. On the another hand IPFW is getting quite some love these days and is in active development. Pruning IPFirewall and PF
and focusing FreeBSD on IPFW or new firewall would be a good thing IMHO. However FreeBSD has scary history of half finished projects.

Since we mentioned all BSD flavors let mentioned that DragonFlyBSD is facing the same problems as FreeBSD and it seems that they are taking for now the same route (with custom PF patches and pseudo-fork). I have also noticed that somebody was for the first time playing very hard with IPFW2 on DragonFly.
 
Dragonfly also seems to have implemented their own kind of threading system to improve pf performance. I guess it too will have to face a difficult future of remaining in sync with OpenBSD. It would truly be a sad day if OpenBSD's pf is abandoned. It truly is an inspired piece of work. I've heard others argue that as long as one is running, OpenBSD perimeter firewalls, gateways, switches etc., a FreeBSD server itself can be somewhat "hobbled" in terms of security. Does this make sense?
 
Funny how "security" for many seems to boil down to "firewall". This (well, in my minds eye) , however, is basically quite nonsensical for different reasons. For one firewall (in a professional setting) are pretty always dedicated devices. So, even if we assume that OpenBSD is better in that regard we are free to use OpenBSD for our firewall and that's about it.

Funnily I happen to work in the field of security and my take is quite different. But don't get me wrong, I'm in no way anti OpenBSD! In fact, I highly value those people, albeit mainly for all the other projects they do (like OpenSSH) and because they play the - important - role of the nagging conscience (in terms of security) in the Unix world.

Let me come back to an argument mentioned above, namely why OpenBSD dislikes pfSense (because, so they say, it doesn't add anything but rather lowers the entry bar to Joe and Mary). Pardon me, but frankly, this is outright stupid. Because it grossly ignores the very definition of real world security. Let me elaborate:
Security is not created by some pruist high-priests religiously and fervently building ever more ivory tower specialists "secure" systems. Simply because that runs miles besides the battle field. Our problem today isn't "Oh no, he got hacked because he used FreeBSD. If only he had used OpenBSD he would've been secure". That is even double true. For one, FreeBSD does provide relevant security mechanisms but also, and more importantly, because FreeBSD users (like OpenBSD users) actually are quite knowledgable (as compared to gazillions of iDevice and Windows and Ubuntu) users. Most of them do understand, at least to an acceptable degree both the importance of security and how to properly avoid major holes.
Secondly, virtually every major real world security problem is based in, Pardon me, idiocy. Idiocy as in "plugging the plastic box in with default settings", "I've installed Antiviron-X, I'm secure" or "Well online banking is a web site, so I open a new tab in my Browser (right next to the porn tabs) to do online banking".
Funnily there are many (and increasingly more) "low level" Joes and Maries out there who even do care about security (that's why they buy some Anti-Virus snake oil rather than using a free version) and ... Boom ... flies shit in their face. Shit in the form of cryptic looking security devices, cryptic looking tools and commands . So, Joe and Mary try something that is actually reachable for them; maybe a Windows firewall, maybe a plastic box that costs 100$ more than the average boxes but has "Cryptonomicon 3000 high security!" stamped on it in red.
That's why pfSense (and similar) solution are very helpful and laudable and smug idiots are not the Joes and Maries who work hard to understand pfSense (and similar) - but the AOBAs (arrogant OpenBSD assholes) who ridicule Joe and Mary.

Again and well understood, I personally detest Ubuntu (to switch to another problem and security area). But - and that's an important but! - I also see that Ubuntu has made linux "living room acceptable" and has replaced millions of Windows boxen. Even more importantly in terms of security, Ubuntu has brought something similar to a real OS and even occasional use of the command line to Joe and Mary. It's thanks to the Ubuntus & Co. out there, that today we have millions and millions of Joes and Maries who dare to try themselves to use a simplistic firewall ... learning again along the way.

I loved OpenBSD. I actually ran servers and firewalls and net-farms with it (some 15 years or so ago). But I had to pay a high price, I had to get one of the only 2 RAID controllers supported, I often had to say "No, can't do" to good customers who wanted some machine (say a Primergy) hosted that had unsupported devices in it, and so on (also, the OpenBSD crowd was not exactly helpful (but rather arrogant)). Finally I just had to switch to switch to FreeBSD. Oops. Suddenly a whole cluster of painful problems and kludges simply vanished and (professional) life became so much easier - with no less security.
Of, course I didn't lose sight of OpenBSD but I never returned and I never regretted having switched.

Today, frankly, I think that OpenBSD "security" has largely become a fairy tale - albeit a vital one - and the justification of existence for OpenBSD. Of course, they defend that with teeth and claws. FreeBSD's PF weakness comes in handy for that. But again, a firewall is just that, a firewall, one of many many many factors in terms of security.
If anyone feels like giving (yet another) wake up call to the OpenBSD crowd, tell them: Security must be reachable and useable in real word scenarios by real world people. And that's one issue where FreeBSD (and even Linux) runs circles around them.
 
rmoe said:
Funny how "security" for many seems to boil down to "firewall". This (well, in my minds eye) , however, is basically quite nonsensical for different reasons.
Click to expand...
You are 100% right on that one and if you see OP firewall functionality is mentioned as one but not primary reason for OpenBSD security. Discussion diverged a bit after OP posted those nice threads about PF on FreeBSD. I agree with the rest of your post and can easily see why would somebody just stick with FreeBSD for all his/her needs. By the way I hope that was clear from my post that I didn't share main stream OpenBSD view about pfSense. I actually think that is extremely interesting and valuable project. For the record all FreeBSD distros that I am aware of: m0n0wall, pfSense, FreePBX, BSD Router Project, PC-BSD, TrueOS, FreeNAS, and GhostBSD are all very interesting and valuable projects. I am heavy TrueOS, and FreeNAS user. I also really miss Frenzy and I feel very nostalgic about FreeSBIE.
 
rmoe Thanks for sharing your experience on the field. I agree that not everyone is a sysadmin or a security expert and that having simplified web interfaces can invite some people into the field, like "Joe and Marry". FreeBSD has definitely its advantages in a professionnal environnement (where I am also using it).
 
It's not about inviting Joe and Mary to the field (of IT security) but about making (at least some) IT security actually available and useable for Joe and Mary. After all what good does security if only a selected few can actually use it.

Also: Just have a look at security devices, for instance selinux, tomoyo and others on linux. The vast majority doesn't use (or even know to a reasonable degree about) it.

Some (by no means all) comments on your article:

I think that it's a large base on which you can work more and refine over time. I'm under the impression though that it's biased. Not in terms of malevolence but by a starting bias that, btw, is not uncommon, namely the assumption that OpenBSD is the best and hence a reasonable feature matrix against which to compare other operating systems.
I'm also under the impression that your article might greatly benefit from a more profound understanding of the relevant details. Currently, so it seems to me (and I apologize if I'm mistaken) there is a tendency to accept statements at face value and to simply list everything.

Let me offer an example. OpenBSD (which choose a fish that pumps itself up to look more imposing ... maybe that actually is more than a funny picture) declares with a full mouth that at any given point in time 6 to 12 people of their team are auditing OpenBSD.
Now think. Is that indeed a relevant and valid statement?
If so, then windows must certainly be more secure than OpenBSD, no? After all they don't have 6 - 12 but 60 - 120 or even more auditing their code.
IMO even more important though: Did you ever see an OpenBSD audit report? If not, let me make you a very special x-mas price on the tour d'Eiffel ... *g - Seriously, looking closer one might get the impression that those ominous audits are yet another version of the pumped up puffer fish; lots of volume, little meat.

Allow me to suggest you a better approach than collecting talking points of the OpenBSD evangelical team and comparing other OS against those:
You (yes, you yourself) must come up with a list of relevant desirables against which you examine each OS. How to do that? You got me, that's a hairy beast. I'm afraid you'll need lots and lots of real world experience not only from the white side but also (at least) from the black side. And of theory. And of software development. And of OS innards.
Last but not least, unless you desire to add yet one more paper to a huge number of (rarely read) academic papers on the matter, you might want to ask a very, very important question that is unpleasantly rarely asked: security what for, security against whom? Because, after all, from that derives the only really relevant measure, namely real life security.

An example: security is a very different thing from security depending on whether you look at script kiddies, semi-professional hackers for evil fun, or an nsa tailored access team. Of cause, quite few (seriously) will try to protect against a tao team while virtually everyone (running a server) will love to be protected against script kiddies and the gazillions of hobby intruders. In other words, talking about "security" one needs a context.

Another issue that you (like almost everyone else) don't mention: A major part of security devices of any OS are not against intruders - they are, in fact, against a large and largely different (quality wise) plethora of userland programs like idiocy in web or mail servers or (a gazillion other programs and programming incompetencies). It is, in fact, quite rarely the OS itself that opens all doors wide; it's drivers, daemons, libraries, applications.
To summarize it, there are basically 4 problem/trouble sources: the OS itself, legitimate code (drivers, programs, etc.), legitimate (but incompetent and/or evil spirited) users, and finally, real outside intruders.

In the end it boils down to:
- How is the OS itself designed and implemented?
- How is the code around it, i.e. drivers, core libraries, and finally userland?
- How well is an OS actually protected against incompetent or evil minded legitimate users? (Hint: the latter are among the most dangerous threat against any OS)
- How well is OS protected against outside intruders (which, in large part, falls back to point 1)?
 
In writing the article I did not indeed take the assumption that anyone could be lying, either OpenBSD nor FreeBSD. That would require to asks the developpers if they really do what they claim to do, with no way to check, and there would be no article at all, as every information claimed for OpenBSD or FreeBSD could be a lie or just wrong based that point of view. Also, I did not start the article assuming OpenBSD was more secure, but instead by stating OpenBSD is claiming it (or is often considered because they claim it), and that I wanted to investigate (hence the article). Believe it or not, I had not idea while I was writing it what I was going to discover all along. Then, there is a lot more to say about security than just comparing two OS, I do not deny that at all, but the article is not meant to address the whole issue, it's rather a focus on two OS. I am not asking you to agree with me at all, the very fact it starts a discussion gives some interesting arguments to everyone, and it's a good thing.

Regards,
Guillaume
 
You must log in or register to reply here.
Back
Top