Router + firewall + NIDS questions

[Warren Togami]

The default security settings of OpenBSD are much better for security, and
the audited code is tighter, but I must respectfully disagree that Linux
security is bad.  If you know what you are doing, disable all services and
properly configure iptables, Linux can be just as secure as OpenBSD in doing
that job.

But yes, Linux distributions, particularly Red Hat, have made extremely
bonehead decisions in the past in leaving certain services active in default
install.  Fortunately they have learned their lesson, and the latest
distributions of Linux are more secure by default, but things could still be
improved.  I don't know why they insist on keeping portmap and sendmail
installed and active in default install.

Netfilter has much greater flexibility and power in firewalling rules than
IPFilter, but that power of flexibility is not usable by many people because
the configuration syntax is so damn hard.  In order to use the more advanced
features of Netfilter, most people use scripts made by other people, and
they do not understand much of what syntax in the script actually means.
ipf syntax is much more intuitive in nature and as a result it is much
easier for users to understand the implications of rules that they
customize.  Netfilter script users are often limited to the options given in
the script, with advanced additional advanced features needing a much deeper
level of understanding.

It is also true that OpenBSD requires less system resources than Linux, but
I think that's only true mainly because most Linux distros include
EVERYTHING that a server can possibly do.  If you were to strip down Red Hat
to the bare essentials, custom minimalist kernel and libraries, I'm sure
that it can be comparatively lean as the BSD's in doing specific jobs like
this.  There has to be a reason that embedded developers are now choosing
Linux rather than BSD as an embedded operating system, even though BSD
licenses would give them more benefit in intellectual property and market
competitive edge because they do not have to contribute their changes back
to the community (example: Microsoft's TCP/IP stack from BSD).

That being said, there are strong arguments to use either Linux or OpenBSD.
It will be much harder to create the rules necessary for multiple network
interfaces with Netfilter than ipf.  Ready-made scripts for your desired
configuration would not be readily available, so you would probably have to
make it yourself.  Perhaps if you were making an enterprise grade firewall
Linux may better suit the job with the extra features and flexibility (QoS,
flexible rate limiting, custom classes, more advanced NAT, custom conntrack
modules, etc), but this is your home firewall and you don't need these
advanced features.  ipf is simply quicker and easier to secure properly.  Of
course if you want to go through this process to learn, it this is a great
learning opportunity.

On the downside, OpenBSD is currently in an awkward situation with ipf.  The
community didn't realize it until recently, but IPFilter is _not_ free &
open source software.  It is completely controlled by the author, and it is
not permitted to distribute modified binaries of ipf.  As a result, the
makers of OpenBSD have dropped IPFilter and began to write a replacement.
This may or may not be a problem in the future, depending on how quickly
OpenBSD can code a mature replacement.  I believe they are attempting to
make it as compatible as possible with the existing IPF configuration
syntax, but it will be over a year or two before it becomes as mature and
proven as IPF.  This may make an upgrade path for OpenBSD uncertain.

Fortunately the OpenBSD folks have done an awesome job in quickly
implementing OpenSSH, and many folks feel that they will do a great job with
their new firewalling code.  It is just a question of how long it will take
to reimplement and make it mature.  I think within a few years FreeBSD and
NetBSD may also drop IPF in favor of OpenBSD's implementation so that they
will not be hindered by the non-free nature of IPF.

Basically...
Linux is harder to secure, but more flexible.  OpenBSD is much easier to
secure, but less flexible.  The question here is if you actually need the
more advanced and flexible options (you don't), and how much time you want
to spend configuring this (your choice).

Best tool for the job.

----- Original Message -----
From: "Dusty" <dusty at sandust.com>
To: "Linux & Unix Advocates & Users" <luau at list.luau.hi.net>
Sent: Saturday, August 25, 2001 11:07 PM
Subject: [luau] Re: Router + firewall + NIDS questions


> For this system I can only recommend OpenBSD.  Linux is great, but
security is NOT the first consideration with Linux.  With OpenBSD it is.
IPfilter, which currently comes with OpenBSD (ver 2.9) is awesome (one of
the best firewalls around free or commercial) and much easier to configure
than IPtables/Netfilter in Linux.  Snort is a great choice for IDS.  A 486
or (preferably) old Pentium running OpenBSD with 32mb ram and a 500MB hard
drive is all you would need.  I use an 85mhz Sun Sparc5 with 32mb ram to do
this same thing, plus mail, web, and dns.  It sits 98% idle!
>
> Having multiple NICs would be fine, a little more difficult on the config,
but nothing too much. Basically your system will just have to route traffic
to each interface and you will need to use bigger netmasks (ie
255.255.255.248 instead of 255.255.255.0).  But your firewall can control
the traffic much tighter.  If you don't already have the extra NICs, I would
spend the money on a cheap HUB or switch.
>
> For more info on OpenBSD goto http://www.openbsd.org and for info on
configuring http://www.nomoa.com/bsd.  The network install for OpenBSD is
pretty easy and I recommend it.