I sometimes surprise fellow technologists when I tell them that a successful digital payments company we built runs on FreeBSD.
It’s not that they haven’t heard of FreeBSD—the open source operating system turns 30 this year, after all. Rather, it’s that they hadn’t previously thought of FreeBSD as an enterprise OS. But that’s exactly what it is and how we use it: FreeBSD is a critical enterprise-grade OS that is on par with—and in some ways surpasses—other operating systems when working in enterprise environments.
I’ve been a FreeBSD user for 16 years now. Like many others, I got started as a hobbyist. I’d been working with various OSes in enterprise environments, mostly in the payments industry, and getting frustrated with some of the drawbacks of other well-known options: random error codes, endless support tickets, black boxes. A colleague tipped me off to FreeBSD, and I immediately loved it for its simplicity and capabilities. We rebuilt that company on the FreeBSD stack and the project was highly successful.
When we launched our digital payments company, we built it on FreeBSD and never looked back; it is still our OS of choice today. We have nearly 60 servers running across two different U.S. data centers. We run on an active-active architecture, with our own IPV4 blocks that we Anycast. We operate several highly segmented VLANs for isolation and security purposes. And we do all of this with FreeBSD.
One reason this surprises some people is that, as a payments company, we handle millions of credit card and bank account numbers. To put it in simple terms: a data breach would be extraordinarily bad for us. We do intensive pen testing and vulnerability scanning on a daily basis to make sure we’re as strong as possible. We regularly undergo security and compliance assessments, which we pass with flying colors.
And in the process, I’ve spent many hours talking with auditors, InfoSec pros, CIOs, CISSPs, and others in the industry to make the business case for FreeBSD and teach with them what we’ve learned first-hand: FreeBSD is a remarkably powerful, reliable enterprise OS that can stand up to the most stringent security standards and regulatory scrutiny.
Below, I’ll unpack five fundamentals behind why FreeBSD is our enterprise OS of choice—which can double as five fundamentals for making the business case for FreeBSD in your own organization.
Using FreeBSD as an enterprise OS: 5 things to know
-
Security & Stability
One of the best features of FreeBSD—along with all of the products in its ecosystem—is that it’s a completely free and open source project. Historically, open source sometimes got a bad rap in enterprise environments, but that is changing as IT pros recognize that, when properly configured and managed, open source software can be just as secure (or even more so) than proprietary code.
A key reason for this is that open source eliminates all of the black boxes. You can look under the hood and see everything that is going on; there are no mysteries. Even more importantly, there are lots of eyes on the code, which means issues tend to be discovered and mitigated much faster, especially where there is a longstanding, engaged community around the project (like there is with FreeBSD).
Moreover, I’ve never seen another OS that has such a consistent behavior from release-and-patch cycle to release-and-patch cycle. With FreeBSD, we never encounter the common scenario where you install an update or new version and, suddenly, a bunch of tools stop working because an underlying library changed.
FreeBSD’s base install also runs a very minimal set of services that are exposed to the outside world, which supports the many security frameworks that emphasize zero-trust or least-privilege principles by only running what is actually necessary. It’s easy to add what you need, while not needing to worry about uninstalling or disabling a bunch of things that you don’t.
Similarly, it’s very easy to tune and configure everything from how your network stack runs to how your intrusion detection runs and more. The documentation is great; again, no black boxes or endless support tickets.
The open source nature also helps deliver excellent performance, minimizing calls and other potential drags on your environment. Finally, from a security and stability standpoint, there’s separation between that base OS and everything else that gets installed on that OS.
-
High Availability
High availability (HA) is a hot topic and an increasingly common requirement in many sectors. In the past, I’d never been able to actually achieve it with other OSes without purchasing expensive firewalls and routing equipment.
We built our active-active, multi-homed, Anycast-ed environment more or less using out-of-the-box FreeBSD. Even our firewalls are FreeBSD. The only third-party application we’ve had to add is BIRD for BGP routing.
After two years, we have had zero downtime. We’ve load-tested the current configuration to 20,000 concurrent credit card transactions – and that didn’t even stretch the platform to its outer limits. And we’ve done this essentially with simple hardware and out-of-the-box FreeBSD.
-
Patching
This is probably one of the most compelling reasons to consider using FreeBSD in an enterprise environment—and one of my favorite aspects to talk about as a result.
I am regularly asked some version of the question: “Wait, you’re using FreeBSD as the OS for running a firewall?” And my answer is always: “Yes, absolutely.”
The reality is that a lot of auditing and assessment firms and CISSPs are used to seeing the brand-name OSes. There’s nothing wrong with that, per se, but I like to share my belief that many of those platforms are using a lot of open source—like FreeBSD and its PF firewall—under the hood. They’re wrapping their own UI and code around it, of course, but essentially it’s the same thing we do on our own.
And what happens is that when we run things like pkg audit nightly to check our systems against CVEs and other known issues, we can patch those vulnerabilities much faster than would be possible if we had to wait on a commercial OS vendor. When a vulnerability becomes known, we have a fresh, patched build up and running soon after.
-
Configuration Management
Nobody loves the mysterious checkbox UI style of configuration management. It’s another form of black box, in that you don’t really know what’s going on in the background.
For this reason, I love the simplicity of configuring FreeBSD. It’s all flat files. You don’t have to log into a UI to make changes.
FreeBSD’s file-based configuration arms you with a persuasive case in terms of security and auditing because it creates a simple but powerful change management system. Just about any security and assessment framework requires some type of change management process in place. File-based configuration makes it simple to GIF those file configurations, or use version control on them, inherently adding change management to your configuration management.
If you want to take it to the next level, we use SaltStack for centralized automation and orchestration of our configuration management. There is not a single manually created or updated configuration file on any server in our environment; everything is done via SaltStack and Git, which makes it easy for us to track configuration management and change management throughout the environment. That gives us a centralized audit trail of any change made on any system.
- Compliance Management
Regulatory compliance is a major requirement for us as a payments company, as it is for other firms in the banking and financial services sector (as well as most industries now).
We regularly work with PCI DSS and the NIST Cybersecurity Framework. In our experience, frameworks like these are heavily tuned toward one of the major commercial operating systems[, and, as a result, many of the auditors and assessors are more experienced with that OS as well. That’s created a learning curve when doing something like a PCI level 1 assessment or a NIST audit, where we’ve basically had to teach the assessors all of the above, because they weren’t familiar with how FreeBSD gets configured and secured. (As a result, there are now some vendors who know very well how it works!)
If you do work with a vendor that doesn’t know FreeBSD, the first assessment or audit will likely be more painful than future ones, because you’ll have to help them navigate that learning curve.
But here’s the great news: Every time we’ve completed a course with a security assessor who wasn’t previously familiar with FreeBSD, by the end of it they always become convinced FreeBSD is the best OS from the security, compliance, patching, and configuration perspectives. Seriously. And successfully completing those audits and assessments is ultimately what qualifies an OS as “enterprise-ready,” and I can say emphatically that FreeBSD exceeds that bar.
That’s what I love sharing our experience and what we’ve learned—because inevitably that might help be a catalyst for helping our technologists and teams reap the benefits of such a great open source OS.