New year's resolution No. 1: Get OpenBSD

Kick off 2007 with a new, more secure operating system

Although many readers think I'm a Windows-only zealot, one of my other favorite OSes is OpenBSD. I run a few flavors of Linux as well, but I use OpenBSD as my honeynet (a network of honeypots) firewall and to explore the criminal side of the Net. There is no better secure, popular OS than OpenBSD.

Project founder Theo de Raadt created OpenBSD in 1995 as a more secure and open alternative to NetBSD and Linux. De Raadt and his project team are legendary in their pursuit of openness and security. They worked hard to scrub every proprietary and non-open piece of source code out of the kernel. The name OpenBSD comes from the fact that its source code can easily be examined on the Web or by using other tools. Open also means that it supports many platforms, including i386, Alpha, HP, Mac (both Motorola and iMac chipsets), Vax, Sparc, and SGI.

The founders and maintainers of OpenBSD are the kings of security. Nothing goes into OpenBSD before a gauntlet of security reviews, and the source code is constantly examined, re-examined, extended, and updated in developer-focused hack-a-thons.

Crypto is baked-in and turned on by default. Kerberos V is built-in. In 1997, OpenBSD was the first OS with IPSec support. It has native support for many cryptographic hardware accelerator cards. You want to use remote admin? Then you’re going to use an encrypted channel (e.g., OpenSSH). FTP supports HTTPS. Passwords are protected by Blowfish encryption (called bcrypt hashes), which are considered the strongest password hashes available.

The overarching goal is to be the most secure operating system. To date, only one remote vulnerability has been found in the OpenBSD kernel. Critics often counter -- and rightly so -- that no one runs just the kernel, and that other common add-ons (again, OpenSSH) have been found with bugs. That may be right, but few other OSes can say that in 10 years of existence, outsiders found only one kernel bug. It’s quite the record.

OpenBSD is especially known for its Packet Filter (PF) firewall software, considered one of the most protective and straightforward firewalls available. You need a chrooted service? Nobody does it better than OpenBSD. In fact, think of any generally available security feature, and it's highly likely that it’s available or installable on OpenBSD, albeit in a more secure form.

Security comes at the price of decreased user friendliness and difficult installs from a lack of supported drivers. OpenBSD earned its reputation for being difficult to configure after the install, because what does get installed is minimalist in nature by default. For example, PF is a strong firewall, but it doesn’t include all the cute little features that are available in today’s massively bloated firewalls. It does what you tell it to do, no more and no less -- and without holes.

OpenBSD is shipped secure-by-default, with all non-essential services disabled. You won’t find NFS, Mountd, or Apache enabled by default. The \bin and \sbin folders will be emptier than other Linux or BSD distros. Install OpenBSD and you can be assured that it doesn’t default to an insecure state.

Theo de Raadt is known for being rather abrasive when it comes to OpenBSD and its security. I’ve never met the man so I don’t know for sure. Per other articles I’ve read, he has angered many with his firm stance on security and doesn’t suffer fools, whiners, or middle-of-the-road security advocates lightly. But shouldn’t we have at least one publicly available OS that simply says security is the No. 1 concern and everything else is secondary?

If you are new to Linux or BSD, I suggest buying an OpenBSD book. My current favorite is Absolute OpenBSD: Unix for the Practical Paranoid by Michael W. Lucas from No Starch Press. Anyone should be able to read this book, download OpenBSD, and get it running as quickly as possible.

So make another new year’s resolution. Download and install OpenBSD and see what it can do for you.

Join the discussion
Be the first to comment on this article. Our Commenting Policies