-
May 28th, 2002, 09:22 AM
#1
BSD or linux?
Ive recently read that the BSD's are able to handle certain denial of service attacks much better than linux. I looked around for the article, but couldnt find it. Is this another reason why a lot of people choose BSD over linux? I ask because although Im not concerned about out of the box security for linux, I am concerned with its ability to handle kiddie attacks.
Wine maketh merry: but money answereth all things.
--Ecclesiastes 10:19
-
May 28th, 2002, 09:51 AM
#2
-
May 28th, 2002, 10:16 AM
#3
Ive recently read that the BSD's are able to handle certain denial of service attacks much better than linux. I looked around for the article, but couldnt find it. Is this another reason why a lot of people choose BSD over linux? I ask because although Im not concerned about out of the box security for linux, I am concerned with its ability to handle kiddie attacks.
People tend to choose BSD over Linux because BSD has the edge when it comes to performance. In general, BSD's are faster and a BSD firewall can handle more traffic. BSD's also have a reputation for being more secure than Linux. This argument is subjective since it all depends on how you choose to configure the box. But a major point in BSD's favour is that it doesn't enable services by default the way that Linux does. You have to explicitly enable services that you want running with BSD. Other than that, the two OS's are pretty similar in functionality.
OpenBSD - The proactively secure operating system.
-
May 28th, 2002, 10:18 AM
#4
Senior Member
BSD can be setup as a firewall, with the pf option it is able to filter out incoming packets and drop useless ones.
-
May 28th, 2002, 11:26 AM
#5
All in all, the Linux kernel, while based on BSD, could be said to not be "as tight" or even as "aged" as some of the "original" BSD4.3 kernels (from which most of the OpenSource BSDs are based - Free, Net and Open... as well as BSDi, the commercial offering); please forgive my heavy paraphrasing / toned-down-ness or whatever... Linux is still, admitedly, pretty young. If you want network performance out of it, forget it... yes, I know "it's fast" (or at least seems so), but it lacks where it really counts and performance suffers because of it (ie. don't use it as a busy firewall or IDS box). For example, the packet capturing algorithms used to be pretty indequate - while the BSDs use zero-copy packet captures, Linux... well... "doesn't" (unless that's recently changed, which I don't think it has or would have, etc). So, the long and the short of if in this question... if you want it to be able to absord and process the traffic, you're generally going to have better luck with a real BSD than with Linux.
\"Windows has detected that a gnat has farted in the general vicinity. You must reboot for changes to take affect. Reboot now?\"
-
May 28th, 2002, 11:41 AM
#6
Originally posted here by smirc
BSD's also have a reputation for being more secure than Linux. This argument is subjective since it all depends on how you choose to configure the box. But a major point in BSD's favour is that it doesn't enable services by default the way that Linux does. You have to explicitly enable services that you want running with BSD. Other than that, the two OS's are pretty similar in functionality.
[Note - this isn't meant to be flaming or inflammatory, etc - good points by smirc, but I hoped to try to make a couple of small corrections to the generalities]
I think I specically remember some (past) Linux vulnerabilities that would allow you to totally skip portions of the three-part handshake, getting you directly to the application layer. So, in this example, with identically configured BSD and Linux boxes the BSD machine would probably be much more secure.
Also, some flavours of Linux now prompt you for services to bring up by default before it finishes the install... Mandrake does a pretty decent job of smacking the user and saying "hey bonehead - these types of servers are being enabled and will be network accessible - are you sure?"
Finally, a system isn't "configured" and up for prime time until you plug that ethernet jack in... until then, you can edit and hack and harden all you need to or want on either/any platform (in fact, I recommend that you make sure to go through all these steps before you plug it in to ethernet... even Solaris or anytihng).
In general, this is an abbreviated list of what I do when setting up a new box:
[list=1][*]Disconnect any and all network connections from the machine[*]Install the machine from verified, read-only media[*]Find a separate machine to download the latest and greatest system patches[*]Disconnect my download machine from the network[*]Verify the patch authenticity[*]Burn the patches to CDROM or place the two machines on a physically private network segment[*]Install the most current system patches on the new machine[*]Harden the system (incl. turning off or removing all unneeded services, installing new security measures, etc)[*]Install a consistency checker of some sort (eg. tripwire)[*]Build the consistency database for the filesystem[*]Backup the system to tape[*]Verify the tape as readable/restoreable (restore a random file and verify the checksum).[*]Connect the machine back to the network and put it in production[/list=1]
\"Windows has detected that a gnat has farted in the general vicinity. You must reboot for changes to take affect. Reboot now?\"
-
May 28th, 2002, 04:22 PM
#7
Hey hey hey, Keep in mind it's not Linux itself that's 'enabling things by default', it's the distribution. RedHat 7.1 didn't enable FTPd for me, nor HTTPd, etc., etc.. I selected the typical install.
I don't think Slackware has ever come with services enabled by default. You have to choose what you're going to enable after install time. Slack is an excellent secure distro, with a great track record.
I'm not going to comment at all on the BSDs because I don't have any working knowlegde of the OS.
Chris Shepherd
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?
-
May 30th, 2002, 05:58 AM
#8
ok guys, I couldn't resist this one.
first off, the quote ".....linux.......enabling services by default" is only partially true. It will enable the services ONLY if you INSTALL the service to begin with...so what is the lesson learned here ?
Don't install **** that you don't intend to run. (common sense right?)
BSD is a broad topic to compare linux to. First off you are talking UNIX versus LINUX..
UNIX is like LINUX's father as it were. They are two different entities all together.
secondly, why is BSD so good ? 3 reasons, the kernel, its VM (virtual memory), and tcp/ip stack
There are numerous papers and other writeups on these topics, all you gotta do is google it.
(based on OpenBSD)
What makes a BSD so hard to crack ? to put it in an easily understood manner...it's simple. That is it, its a simple OS. It has a core that it will install with services that are commonly used on said OS, but that is about it. you don't need anything else to run the system. Now of course there are other packages to install, roughly 1600 of them, but who needs them anyways. download your patches, install them, download kernel source, recompile your kernel for speed and other things( I dedicate 16 MB of ram to network traffic and other things as well) disable sendmail and other unused services, lock down some folders and delete some users, and wham, you have a system that OPENBSD touts "has not been cracked remotely in 4 years"........nothing else can say that.
I took the liberty of doing a few google searches for you all.
http://www.google.com/search?q=bsd+V...e=UTF8&oe=UTF8
http://www.google.com/search?q=bsd+t...e=UTF8&oe=UTF8
http://www.google.com/search?q=bsd+v...e=UTF8&oe=UTF8
Antionline in a nutshell
\"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"
Trust your Technolust
-
May 30th, 2002, 06:12 AM
#9
Junior Member
-
May 30th, 2002, 06:15 AM
#10
OpenBSD also has a team dedicated to auditing all the code that goes in the base install...
So even sendmail that ususally has a bad rep is safe out of the box with obsd. It's also pretty routine to hear that openbsd found and fixed bugs/vulnerabilities first or that it isn't vulnerable to new found hacks because some ugly code was cleaned up before it was known to be exploitable...
The bsd community (particularly OpenBSD) also has a different mindset: the development team doesn't have to anwser to anyone, so the can do things if/when the want. Good example of that would be OpenBSD's release cycle: every six months you get a stable release that you know things haven't been rushed in at the last minute. Control of the os is much more restricted.
It's alot a mentality thing...
Ammo
Credit travels up, blame travels down -- The Boss
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|