Date: Fri, 22 Jun 2001 02:02:22 -0400 (EDT) From: "Albert D. Cahalan" <acahalan@cs.uml.edu> To: beachboywu@yahoo.com Cc: FreeBSD-advocacy@freebsd.org Subject: Re: Ask a question.. Thanks.. Message-ID: <200106220602.f5M62MG421878@saturn.cs.uml.edu>
next in thread | raw e-mail | index | archive | help
> Currently, I am doing a report that evaluates and > compares openBSD and Linux (with the NSA security > extensions) It is interesting that you compare OpenBSD and Linux on a FreeBSD mailing list. > as a potential platform for a VPN gateway/router. > I will be using IPSec as security protocol. > I'd be appreciated if you can tell me which one of > these operating systems is more secure in general and > why. Thanks for the help... OpenBSD: trys to eliminate all holes seLinux: trys to keep "successful" attacks contained Once an attacker gets root on an OpenBSD box, game over. You lost. Your box is owned. Still, it's hard to crack an OpenBSD box. But then again, there was a root-level exploit a week or two ago. It only takes one hole you know. The seLinux box is full of holes, and everybody knows it. They have wu-FTPd even. So the attacker gets root, but with seLinux they don't own you. The damage is contained to specific roles and/or security levels. It is possible to have a root login that can edit files in /etc, while at the same time having an attacker with root being blocked from doing this. The system might require vi for editing /etc/inittab, but require emacs for editing /etc/lilo.conf. This is kernel-enforced; you can't escape it with a debugger. Think about it this way: do you build a huge oil tanker ship with one strong hull (OpenBSD style) or do you build it with a double hull and many separate compartments inside (seLinux style) to make sure a single hole won't dump out all the oil? Do you believe that Theo has finally fixed every last bug? I guess this boils down to optimism (OpenBSD) and pessimism (seLinux). Either you trust that _all_ security holes in OpenBSD have been fixed, or you use seLinux to contain the damage of exploits which you believe are inevitable. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-advocacy" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200106220602.f5M62MG421878>