OpenBSD: The most secure OS around

Move over, Windows and Linux: OpenBSD is the most secure server operating system now available.
Written by Steven Vaughan-Nichols, Senior Contributing Editor
You're probably sick and tired of running into the latest Windows security snafu. And you're undoubtedly painfully aware that most versions of Unix have their own major security holes, such as the recent HP-UX whopper. I'm guessing that you're wondering if there's a network operating system that gets security right. There is: OpenBSD.

Unlike other operating systems, with the exception of close relative NetBSD, the open source OpenBSD was built from the ground up to be secure. How do they do it? In no small part, it's by constantly auditing the operating system's code for potential security problems.

For example, the entire source code tree for OpenBSD is audited for that most frequent of security problems: buffer overflows. Since 1996, the operating system has had a team of auditors working on finding potential problems and fixing them before they can develop into security holes. OpenBSD, which runs on the Intel platform but has been ported to many others, is also a big believer in fully disclosing any potential security problems to the public as they come up and then immediately attacking and fixing them. Unlike most operating system vendors, the OpenBSD crew is proactive rather than reactive to security problems.

Are you listening Apple, Microsoft, and all the Unix vendors? This isn't rocket science. It's barely computer science; it's simply quality assurance testing for security.

You can see this quality assurance even in OpenBSD's basic install. Most operating system default installs--including the Linuxes and other BSDs--tend to throw in services in an everything-and-the-kitchen-sink fashion. In stark contrast, OpenBSD takes a "secure by default" approach, in which all non-essential services are disabled. You must choose, for instance, to turn on Network File System (NFS) and Web servers after your initial install.

OpenBSD also incorporates encryption in the operating system. Other systems, like Windows XP, with its Encrypted File System (EFS), layer encryption on top of the operating system rather than build it into the foundation. In OpenBSD, KDS' Heimdal implementation of Kerberos IV and V authentication protocols are a core part of the windowing and log-in systems. And the TCP/IP stack has had the Internet Security Protocol (IPSec) built in since 1997.

What that means is that unlike other operating systems, where IPSec is often an option for virtual private networks (VPNs), the security is incorporated right into the basic network stack. What a simple solution to network security: Put a widely supported open security standard right in the stack so users don't need to add it in.

I doubt if the other operating system vendors can learn this and other security techniques from OpenBSD. Most of them are more interested in adding more features or strapping on security instead of building it in from the ground up. I talked to almost every operating system vendor in creation recently, and with the exception of Sun, all plan to build more features into the operating system. Theo de Raadt, OpenBSD's lead developer, says that the problem with this approach is that "security is usually increased by removing stuff, not by adding more junk." I agree. It's easier to keep something simple secure.

Whether you buy that theory or not, experts agree that OpenBSD is the most secure server operating system now available. So why don't you already know it? In part, it's because OpenBSD is a shoestring operation, even by open source standards. It also doesn't help OpenBSD's cause that there are only a handful of integrators and consultants that support the system.

Still, OpenBSD does run most Linux, BSD, and many Solaris applications; that's a plus. If you know Solaris, Linux, or BSD and want to move to a more secure system, or you're just so sick and tired of security holes that you're willing to make the jump into a new operating system, OpenBSD is for you.

Editorial standards