SECURITY WATCH: OpenBSD comes close to security nirvana with a system that is 'secure by default'.
Well know for its "secure by default" posture, OpenBSD (http://www.openbsd.org), the internet-based volunteer effort, recently announced the inclusion and support of Versions 1.3 and 1.5 of Secure Shell (SSH) client and server in OpenBSD Version 2.6, which is due to appear in early December. But including security-related products in the operating system is nothing new for OpenBSD.
The product also includes integrated cryptography and virtual private networking technologies such as Blowfish, MD5, SHA-1, IPSec, and S/Key. Because of this it has been accepted as the de facto secure-operating system.
We use OpenBSD for SSH and Internet Relay Chat in particular, but many corporations use OpenBSD for their intrusion-detection engines, virtual private networking servers, firewalls, Web, FTP, and e-mail; some have reported using the operating system for data-warehousing applications.
Theo de Raadt, the lead developer and maintainer of OpenBSD, boldly sets the expectations for the team.
"Our aspiration is to be number one in the industry for security," de Raadt says.
And they have backed up this claim. OpenBSD has avoided a successful remote root attack on the operating system for more than two years. That success has outperformed any other operating system on the market. De Raadt has become an expert on securing code, and has done much to ensure that OpenBSD code is written securely and holes are discovered quickly.
As you've come to expect from us, our faith in vendors' attention to security is waning, but OpenBSD gives us hope. OpenBSD is a group that has done it right - or at least strives to.
We recently wrote about a stellar new Windows NT firewall that we swear by and use on most of our personal systems. It's called WinRoute Pro 4.0, by Tiny Software, at http://www.tinysoftware.com. However, while working with the product, we've discovered a couple of security concerns that demand your attention.
The first problem you'll have to remedy is that the default administrator account (Admin) is set with no password after installation. This allows even the dullest of attackers to log in to the WinRoute Administration interface with ease. The password for the Admin user should be changed by getting into the WinRoute Administration program and selecting the Settings, Accounts, Users Tab, and Edit button.
The second security concern has to do with the way WinRoute sets up its default-management capabilities. Out of the box, WinRoute allows for both "remote administration over network" (through TCP and User Datagram Protocol port 44333) and Web-enabled administration via TCP port 3129.
To be fair to WinRoute, if you read our initial column discussing the product and actually took the time to duplicate our recommended packet-filter rules, this second security concern would disappear. That's because we recommended the standard cleanup rule to block all traffic that was not explicitly allowed. However, realising that not everyone takes what we say seriously, it's important to limit your liability here.
The final concern is the one that's most worthy of your attention and has to do with firewalls in general. By default, WinRoute does not secure your system at all times. In other words, during the boot-up process, WinRoute does not take control of the stack and filter packets until the WinRoute service is started. This means that whenever your system reboots, it can allow an attacker a brief moment of opportunity for attack. While the span for attack is only measured in seconds, that is often all one needs to subvert an NT box. To fix this problem, change this undocumented registry key, for securing the system, to the value 1:hkey_local_machine\system\CurrentControlSet\Services\wrdrv\AlwaysSecure.
So what's your position regarding an operating system that is "secure by default?" Tell us what you think at firstname.lastname@example.org.
(Stuart McClure is an independent security consultant at Rampart Security Group. Joel Scambray is a consultant at Ernst & Young.)