[ale] OpenBSD, FreeBSD

Michael H. Warfield mhw at wittsend.com
Tue Dec 14 21:44:51 EST 1999 

On Tue, Dec 14, 1999 at 08:32:14PM -0500, jj at spiderentertainment.com wrote:
> "Michael H. Warfield" wrote:

> >         Theo?  A tad abrasive?  Nah!  :-)  (Duck)
> >         Not as long as you have a thick skin.  (Duck again)

> I'll list my self in their list servers.. I guess I'll find out if I have a thick
> skin   (Duck)

	Join the club...  :-)

> >         For the record, I've shared a few beers with Theo.  I found him
> > opinionated as I'm sure he found me (If he remembers me at all...  Gets
> > a bit fuzzy after a few beers at 1AM in a bar in San Antonio).  I don't
> > agree with all of his opinions and I'm sure he doesn't agree with all of
> > mine.  He can be real hard on the nerves if you aren't prepared for him
> > and I can really see where he would scare the bejesus out of newbies.
> > Don't get into a debate with him unless you are REALLY prepared to defend
> > your arguments rationally.  Over all...  I like dat man and respect him,
> > even if I don't agree with him 100%.

> Who is Theo ?

	Loosely...  Theo de Raadt is to OpenBSD what Linus Torvalds is to
Linux.  I've been at a bar with Theo (USENIX Security Symposium in San
Antonio Texas) and been at a couple of dinners and a couple of parties with
Linus (much MUCH bigger crowds).  Would be amazed if either remembered me
(but for totally different reasons :-) ).

> >         I would suggest looking over the Bastille Linux security hardening
> > script.  They've just released version 1.0 to rave reviews at the SANS
> > security conference.  This is second hand.  I haven't laid my hands on it
> > personally, yet.  Planning on it for today or tomorrow so I can incorporate
> > it into my upcoming security tutorials at LinuxWorld.  :-)  You might also
> > want to look at the Lids (Linux Instrustion Detecton System) project but
> > I'm not as comfortable with the direction that's going in (some of their
> > stuff interfers with dynamic firewalls) and it's got a ways to maturity.

> Can you post a message to ALE once you review 1.0 ?

	Will give it a shot.  First I have to get my seminars ready for
LinuxWorld or they will crucify me.  :-/

> >         Why would you think that?  I know of a lot of people who think just
> > the opposite.  And *BSD is almost an oximoron in and of itself because of
> > the differences between the BSDs.

> So what would you recommend for a heavy duty intel based site, that has its share of
> attacks ? I am mostly interested in the web/named applications.

	You don't specify how fat your pipe is but I'm going to assume that
network bandwidth will be a limiting factor LONG before the OS will.  I had
a $#@$#@ engineer take down and entire 10baseT collision zone copying entire
CD images between two Linux boxes.  You can't do that to 100baseT but you can
get the attention of the others on the net who WILL notice a momentary
hickup in throughput.  (Note:  We also occasional has some switched routers
see so much traffic from the Linux boxes that they thought there was a
collision overload and shut the link down...  Think about it...)

	I would personally install Linux with firewalling code enabled and
Abacus PortSentry enabled to discourage the ankle bitters.  Behind that,
tighten up your tcp wrappers code to match what you want to allow (and deny
everything else).  Behind that, you apply your application security such
as web access controls, SSL, account access, etc, etc.  Shim each layer
with logging and log detection logic.  It's what we refer to as "defense
in depth".  If you can affort it, off load your logging off to a dedicated
logging box with a secure log server and log monitoring process and NOTHING
else running on the logging box (makes it a bitch to didle the logs when
breaking into a system :-) ).

> >         I have Linux, FreeBSD, and OpenBSD (and SCO Unix, and Solaris, and
> > Solaris x86, etc, etc) running side by side, here at home and at the office.
> > I LIKE Linux.  FreeBSD and OpenBSD are perfectly acceptable with no
> > prejudice against them or anyone that uses them in preference to Linux.
> > But, realistically, none of them (Linux, OpenBSD, or FreeBSD) really blow
> > the other two out of the water in security, reliablity, or performance
> > The human factor there is just too big.

> You are right. Perhaps I am asking the wrong question here. My goal here is to push
> the software capability to its limit as getting another raid machine is a little too
> expensive for my taste at the moment. And I need another machine or faster OS(if
> there is anything faster the unix flavor)

	Getting something faster means determining where your bottlenecks
and limits are.  Beowolf clusters are now qualifying as some of the fastest
supercomputers around, but that doesn't help you if the bottleneck is the
network channel or the disk bandwidth.

> I just got back to programming in Unix once again.
> My goal here is to strip the kernel from alot of code. This might eliminate possible
> bugs and even perhaps create some new ones. But the reason behind it is that there
> is alot of stuff that I would not need normally, all I honestly need is Apache, ftp,
> named, ssh, and sendmail. But I have one machine that is just running apache.
> So I was thinking all I have to do is strip some of the ipcs, file system handling,
> logging, change the net code a little, and a few other things. And before you think
> I might be crazy or anything, I know how much work it does entail just to change one
> of the key components here, and before you ask why, let me tell you that reducing
> one instruction from my current kernel net code would save me X amount of money.
> Getting another machine is just to expensive in hardware and man hours. Besides at
> the moment all I could afford is 64MB of RAM considering it's current price.
> 
> One question if you could answer, I read on this list folks who say that FreeBSD is
> ahead in its programming for SMP and I read folks who disagree, can you comment on
> this ?

	Removing 1000 instructions out of the kernel will save you nothing
except the space on disk if they never get executed.  Modular kernels don't
even LOAD unecessary code.  I recently went round and round with Alan Cox
over getting the Computone multiport drivers into the kernel.  Sticking point
was the boards microcode.  We had to have a way to load the microcode into
the board but NOT tie up memory in either the monolithic kernel or the modular
load.  Turns out that "_init" for data is not freed up in modules, so that
didn't help.  We wrapped the data (and some init code) in _init segments
and then put the init stuff in it's own module so it could be freed up
after the active driver was initialized.  Moral...  If you are worried about
code size bloat, make it modular and load what you need.  If you are worried
about every execution cycle (and some security) make it pure monolith and
only put in what you know you need.  You have the freedom to try either or
a combination of both.

	Most people would agree that FreeBSD is ahead of the Linux 2.0 kernel
in SMP support.  The 2.2 kernel is, in many minds, a generation beyond
FreeBSD.  I don't have SMP systems.  I'm a cheap lazy bastard that sits
behind the knee in the price performance curve and reaps the benefits of
people who buy state of the art.  Why should I buy a dual pentium whazoo
when two K6s will run rings around it at a fraction of the price.

> Thx for input. :)

	For what it's worth!  :-)

	Later!

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
  (The Mad Wizard)      |  (770) 331-2437   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

More information about the Ale mailing list