Linked by Thom Holwerda on Wed 20th Jun 2007 20:07 UTC, submitted by Valour
OpenBSD "If you're a software enthusiast who has never used OpenBSD before, you might enjoy installing it by yourself and figuring it out as you go. If, however, you're looking for a more practical approach to using OpenBSD 4.1 on a desktop or server machine, here's a quick guide to get you started in this spectacular operating system."
Thread beginning with comment 249483
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: Security
by Hiawatha on Thu 21st Jun 2007 06:56 UTC in reply to "RE: Security"
Hiawatha
Member since:
2005-08-29

"at least with buggy PHP, no harm can reach the system as httpd is chrooted by default"

If your website gets defaced or personal data from the users of that website are compromised, do you think a chrooted webserver will prevent any more structual damage? Reputation damage can also be really bad for a company. In case of a buggy PHP website, you are better off with a well designed DMZ and an IDS.

A secure OS is nice. But if I had to chose between "a secure OS and a good administrator" and "a really really secure OS and a bad administrator", I definitly will chose the first one.

Edited 2007-06-21 06:59

Reply Parent Score: 0

RE[2]: Security
by Soulbender on Thu 21st Jun 2007 07:01 in reply to "RE: Security"
Soulbender Member since:
2005-08-18

That's a nice strawman you have there.
It's even better with a really really secure OS and a good administrator.

Reply Parent Score: 4

RE[3]: Security
by IanSVT on Thu 21st Jun 2007 14:35 in reply to "RE[2]: Security"
IanSVT Member since:
2005-07-06

I've alway thought of OpenBSD as taking the firewall approach to their design. You generally don't install a firewall with all ports open in both directions. You install it with nothing open, and then create access rules accordingly. The same principal applies to OpenBSD. You get basically no services up front and then add them as needed. Theoretically, this lets you control your environment with a higher degree of certainty and confidence than you might find with an open service oriented OS like Windows or Fedora Core.

I think we can all agree though, a bad administrator is a bad administrator. OpenBSD can only help that affliction so much!

Reply Parent Score: 2

Your sinking fast...
by galvanash on Thu 21st Jun 2007 19:11 in reply to "RE: Security"
galvanash Member since:
2006-01-25

If your website gets defaced or personal data from the users of that website are compromised, do you think a chrooted webserver will prevent any more structual damage?

Yes. Definitely. Absolutely. Without Question. Can I possibly be more forthright? Preventing more structural damage is the fricken' POINT of chrooting something...

In case of a buggy PHP website, you are better off with a well designed DMZ and an IDS.

You keep doing that... Its irritating. The fact is you are MUCH better of having BOTH. There is no need to chose one and not the other. And what exactly does a DMZ or IDS have to do with the relative merits of an OS that is designed to be secure? Your argument seems to be "a secure OS isn't really better than an unsecured one because of a multitude of things like DMZs and firewalls and whatever that have nothing at all to do with the Operating System's design".

A secure OS is nice. But if I had to chose between "a secure OS and a good administrator" and "a really really secure OS and a bad administrator", I definitly will chose the first one.

Again, you don't have to chose. Really. The two things are in no way mutually exclusive.

Reply Parent Score: 2