Secure Architectures with Openbsd

I bought this book based upon a positive review I read in Usenix's Login magazine. I've used OpenBSD for some minor things, but never really used it on any long term basis. I recently ordered the 3.8 release CDs and am interesting in delving further into it. With that backdrop, I bought this book. Overall, I think this book is pretty good. Along with some others who have read it, after having read it--I share some reservations about the title. I'm not so sure "Secure Architectures with OpenBSD" should be the title. It may be a bit misleading. I'd this is more of a OpenBSD manual or guidebook than a book on building a "Secure Architecture". It is the book you really want to have at your desk if you deal with OpenBSD regularly (and a lot of it is good for any Unix-based system). I like this book and it definately is a quality book, though I wonder if some people may have been mislead by the title.

About a year ago I read and reviewed Michael Lucas' excellent "Absolute OpenBSD." That book covered OpenBSD 3.2 and the CURRENT of that time, pre-3.3. Palmer and Nazario's "Secure Architectures with OpenBSD" (SAWO) addresses OpenBSD 3.4, which at the time of writing is just behind the current release (3.5). Lucas' book is an excellent introduction to OpenBSD by a relative outsider; SAWO is a more detailed discussion by insiders. Each has its strengths and I highly recommend both.My favorite aspect of SAWO is its coverage of the internal workings of certain aspects of OpenBSD. Ch 4 features an enlightening walk-through of the /etc/rc script. Ch 13 not only describes how to use the ports tree, it explains how that system of software installation works. In some cases the authors reach beyond subjects strictly associated with OpenBSD, such as compilers (ch 21) and CVS (appendix A and elsewhere). As OpenBSD relies heavily on widely-used open source tools for standard administration, I welcome these discussions. I also congratulate the authors' decision to focus on practical aspects of OpenBSD administration or functionality. Ch 3 gives installation advice for non-i386 hardware users. Ch 17 explains how to enable STARTTLS. Ch 22 shows why Pf is superior to many or most commercial firewalls. Some of the material can even be applied to the other BSDs, like the coverage of mergemaster in ch 31 or the advice on using IPv6 in tandem with IPv4 in ch 28.I only have a few critiques of SAWO. Ch 27 (VPNs) was a little terse and hard to follow. I didn't think the authors needed to address applications like Snort (ch 30), when entire best-selling books are written about that very topic. I did not see a single diagram in the whole book. A picture speaks a thousand words, especially when explaining IPSec modes!The second edition of SAWO will have plenty to add, including coverage of spamd, Common Address Redundancy Protocol (CARP), and pfsync. I suggest BSD users of all types take a close look at SAWO and consider supporting the OpenBSD project by purchasing books like this and official OpenBSD CDs.

Before buying this book you need to understand a few facts about it:- at first glance the title may lead you to believe it's about securing OpenBSD - it's not. It is about using an inherently secure operating system, OpenBSD, to its best advantage.- you will need to be an experienced UNIX or Linux (or ideally OpenBSD) system admin to get the most out of the content.- it is intended to be used in conjunction with OpenBSD man pages; as noted by another reviewer this book aggregates a lot of OpenBSD documentation, making it a convenient reference.Because OpenBSD is more than a little different from other *NIX variants, and because it is cantankerous with respect to installation and configuration, the material in this book will save a lot of time and reduce the learning curve for anyone migrating to the OpenBSD environment. Reasons for this migration include the enhanced security by default and the inherent stability of this operating system. Chapters 3, 4 and 5 are good places to start to get up-to-speed in OpenBSD because they thoroughly cover installation, basic use (especially with respect to the not-so-standard filesystem layout), and basic default services. All of Section II is essential reading for those new to OpenBSD. Among the topics covered are user admin (almost identical to other *NIX variants), pre-compiled third party software packages (unique to OpenBSD, especially with respect to ports tree), and other administrative tasks and operations. Section III, advanced features, is also essential and will greatly reduce the learning curve.Overall this is an exceptionally well-written book that covers everything you need to know about OpenBSD from installation, and administration maintenance perspectives.

Most of the information is available from other sources and if your run OpenBSD and want to keep 50 howtos and a couple general books on Unix handy you can do without this book. However, I am lazy and I like having the information I need at my fingertips with syntax that works the first time on the operating system I am using.The authors and Addison Wesley are to be congratulated for the fantastic layout, the "code" examples stand out, they are pithy and illustrate the point. The one exception to that is the IPsec VPN chapter. Also, it is really easy reading for such a bone breakingly technical book.I particularly enjoyed the PF chapter, it is a first rate treatment of firewalling, covers the bases nicely. The backup chapter is also well done, but I would argue more strongly on behalf of level 0 (full) backups. It is a an important enough concept to get more than a sentence. The introduction to systrace was wonderful. I am not sure covering snort in 7 pages is a good idea, but the fundamentals are there. I know covering apache in 9 pages is asking for trouble since it tends to be internet reachable.If you are looking for a platform with better networking capability than Linux, or if you are already running OpenBSD in anything other than a purely hobbyist fashion, you should strongly consider this book.