OpenBSD Journal

Cisco's OpenBSD (Dated to late 2001)

Contributed by jose on from the yep,-its-a-product dept.

Dan writes: "Dated back to late 2001...

Just found this on cisco's site.

From cisco site:

"The operating system is ArbOS, Cisco's own hardened version of OpenBSD, in which the TCP stack is rewritten and the user spaces removed. Telnet is disabled in the default configuration"

"Each component operates on top of ArbOS, a hardened, highly secure system based on the industry-standard OpenBSD."

Cisco AVVID information

Network Computing Information "

A point of clarification to the submitter, it's actually from Arbor Networks , not Cisco, but yep, it's based on OpenBSD.

(Comments are closed)


Comments
  1. By jose () on http://monkey.org/~jose/

    as a part of full disclosure, i work for arbor networks, but my deadly.org and openbsd work is outside the scope of that.

    Comments
    1. By Anonymous Coward () on

      You probably cannot answer this without getting fired, but if you can answer, I curious as to why Arbour choose to reimplement the TCP stack? It seems like they are taking a big chance of introducing a security-related bug for no reason I can *immediately* think of (OpenBSD's TCP is very solid and well-tested).

      Comments
      1. By Dan () on

        I would guess that because around 2001 there was a study about TCP/IP sequence number prediction. OpenBSD made changes after that point.
        You can totally discount my reply though because I don't work for Arbor and I don't have any experience with ArbOS.

      2. By ViPER () viper@dmrt.net on http://www.dmrt.net

        My guess (sorry for not being Jose here ;) whould be that the TCP stack is trimmed down. Yes it's very secure, but less is better ;) Wich prob. will result in rewritting a lot to glue it back together again. Also the fact is that 'Harden OpenBSD' does help for sales The second things that pops in mind is memmory usage. A cisco with 64megs should be more then enough for most networks where it whould be suicide trying to gain that with any unix like os running 64mb.
        (4x1gb fiber nics doing traffic shapping)

  2. By Anonymous Coward () on

    A REWRITTEN tcp/ip stack? This is BSD we're talking about! Where do they get off rewriting the BSD tcp/ip stack?!

    I don't care about what the license allows you to do with the code. Replacing the tcp/ip stack takes a lot of gall.

    Comments
    1. By Anonymous Coward () on

      Maybe they didnt like the tcp/ip stack? If I knew what I was doing half the time, I'd replace all kinds a shit too.

      Comments
      1. By Anonymous Coward () on

        BSD has the best TCP/IP stack. Everyone knows that. Everyone steals it too cuz its so good.

        Comments
        1. By thomas () no@spam.please on mailto:no@spam.please

          Actually, from my own personal experience, I wouldn't put an OpenBSD install in a truely high performance environment, it just doesn't seem to be able to stand up to load for me. Now maybe this is just a personal experience, or maybe I flat out did something wrong, and I'm in no way trying to flame OpenBSD/BSD in general. But what I am saying is, from times I've seen an OpenBSD box placed in a very high load environment, it crumbles under the weight. For instance, slap and OpenBSD box up as a high load SQL/Httpd server and you'll start to see your traffic in and out of the box begin to choke. So maybe for this installation on their devices a custom TCP/IP stack is better off since they might of reworked it to support higher loads which standard OpenBSD doesn't seem to be able to handle. I guess I attribute this to all of the security measures put in place by OpenBSD. I've always had luck using NetBSD or FreeBSD in a high load area.

          But like I said, this is a one time personal experinece account, not a completely static view, and I leave a lot of room open to operator error/bad configuration. But I know for me personally, keeping OpenBSD around as a light load server, a honey-pot, a good IDS machine, or a ethernet bridge is a great idea, but I wouldn't dare put it on as router/high load server, it just can't seem to handle it.

          Comments
          1. By Chris Cappuccio () chris@nmedia.net on mailto:chris@nmedia.net

            Have you tried more recent versions of OpenBSD? 3.3 and 3.4 especially. Lots of things have been fixed.... and more will happen to improve performance as time goes on... What kind of failures were you seeing ?

            Comments
            1. By thomas () no@spam.please on mailto:no@spam.please

              Hey Chris,
              Sorry for the late reply and I hope you'll still come back and check this out. When I last used OpenBSD it was for a router/firewall machine on a corporate network, it was running OpenBSD 3.2. All I was doing with it was running out a pretty good PF firewall and a SMTP relay. The main thing that I saw was if I didn't place very much traffic on it, I would get good KBps out of it (~800 - 900), but when a lot of load started to run through it (lots of e-mails at once, or lots of users natting out) the traffic would drop vastly (~150 - 200).

              Now of course, maybe I did something wrong, who knows? I replaced it with FreeBSD and it handled it just fine and sustained rates over duration.

  3. By Anonymous Coward () on

    A REWRITTEN tcp/ip stack? This is BSD we're talking about! Where do they get off rewriting the BSD tcp/ip stack?!

    I don't care about what the license allows you to do with the code. Replacing the tcp/ip stack takes a lot of gall.

  4. By Anonymous Coward () on

    I cannot help but speculate on the competence of the person who thinks that a version of OpenBSD where 'Telnet is disabled in the default configuration' could be considered hardened in any way. Hell, *any* OS with telnet disabled would not be 'hardened'.....

    Comments
    1. By Anonymous Coward () on

      Telnet isn't even on in the default install. They must have had a hard time disabling it :p

      Comments
      1. By naxalite () eric@naxalite.ath.cx on mailto:eric@naxalite.ath.cx

        Telnet is in the default install, it just isn't running by default. That's where I don't understand how they'd disabled something that already is ;p

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]