OpenBSD: The most secure OS around

OpenBSD: The most secure OS around

Summary: Move over, Windows and Linux: OpenBSD is the most secure server operating system now available.

You're probably sick and tired of running into the latest Windows security snafu. And you're undoubtedly painfully aware that most versions of Unix have their own major security holes, such as the recent HP-UX whopper. I'm guessing that you're wondering if there's a network operating system that gets security right. There is: OpenBSD.

Unlike other operating systems, with the exception of close relative NetBSD, the open source OpenBSD was built from the ground up to be secure. How do they do it? In no small part, it's by constantly auditing the operating system's code for potential security problems.

For example, the entire source code tree for OpenBSD is audited for that most frequent of security problems: buffer overflows. Since 1996, the operating system has had a team of auditors working on finding potential problems and fixing them before they can develop into security holes. OpenBSD, which runs on the Intel platform but has been ported to many others, is also a big believer in fully disclosing any potential security problems to the public as they come up and then immediately attacking and fixing them. Unlike most operating system vendors, the OpenBSD crew is proactive rather than reactive to security problems.

Are you listening Apple, Microsoft, and all the Unix vendors? This isn't rocket science. It's barely computer science; it's simply quality assurance testing for security.

You can see this quality assurance even in OpenBSD's basic install. Most operating system default installs--including the Linuxes and other BSDs--tend to throw in services in an everything-and-the-kitchen-sink fashion. In stark contrast, OpenBSD takes a "secure by default" approach, in which all non-essential services are disabled. You must choose, for instance, to turn on Network File System (NFS) and Web servers after your initial install.

OpenBSD also incorporates encryption in the operating system. Other systems, like Windows XP, with its Encrypted File System (EFS), layer encryption on top of the operating system rather than build it into the foundation. In OpenBSD, KDS' Heimdal implementation of Kerberos IV and V authentication protocols are a core part of the windowing and log-in systems. And the TCP/IP stack has had the Internet Security Protocol (IPSec) built in since 1997.

What that means is that unlike other operating systems, where IPSec is often an option for virtual private networks (VPNs), the security is incorporated right into the basic network stack. What a simple solution to network security: Put a widely supported open security standard right in the stack so users don't need to add it in.

I doubt if the other operating system vendors can learn this and other security techniques from OpenBSD. Most of them are more interested in adding more features or strapping on security instead of building it in from the ground up. I talked to almost every operating system vendor in creation recently, and with the exception of Sun, all plan to build more features into the operating system. Theo de Raadt, OpenBSD's lead developer, says that the problem with this approach is that "security is usually increased by removing stuff, not by adding more junk." I agree. It's easier to keep something simple secure.

Whether you buy that theory or not, experts agree that OpenBSD is the most secure server operating system now available. So why don't you already know it? In part, it's because OpenBSD is a shoestring operation, even by open source standards. It also doesn't help OpenBSD's cause that there are only a handful of integrators and consultants that support the system.

Still, OpenBSD does run most Linux, BSD, and many Solaris applications; that's a plus. If you know Solaris, Linux, or BSD and want to move to a more secure system, or you're just so sick and tired of security holes that you're willing to make the jump into a new operating system, OpenBSD is for you.

Topics: Software, Open Source, Operating Systems, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Still the "most secure"?

    I wonder how almost ten years can change everything. Follow this link if you want to know more: <a href="" target="_blank" rel="nofollow"></a>
    • RE: OpenBSD: The most secure OS around


      Allegations are just allegations. Nothing was proved. The truth is the whole story about suspected malicious code existing inside the OpenBSD IPSEC stack can make many serious organizations uncertain to the point they may consider to discontinue using this OS. More companies using secure software -- the better. Apparently this is not a concern of somebody who wants to have access everywhere. Just imagine possibility of eavesdropping currently unbreakable IPSEC protocol. I am not surprised that somebody might have chosen this protocol to the first line of attack. In this world when something is unblemished there is always a matter of false allegations sooner or later. Because OpenBSD is the honest approach to the security ever, it will not be accepted by many people who want to intercept someone's confidential resources illegally.