Following my commitment in January to migrate one production host to FreeBSD, I have spent the past fortnight setting it up. The host is a small file server I had been planning to refresh anyway.
A short note on the platform's security characteristics.
Why FreeBSD
The diversity argument I have been refining over time. FreeBSD is a third platform alongside my Linux and OpenBSD deployments. Three platforms, each with its own security characteristics, produces structural resilience against single-platform attacks.
What I noticed
Three things in particular.
The package system is mature. Ports handles dependencies cleanly, security updates are integrated, and the operational discipline is similar to (and in some ways better than) Debian-style package management. The transition cost was modest.
The default configuration is reasonable. Few services enabled out of the box; the defaults are restrictive without being paranoid; the documentation is clear about what each component does.
The kernel feature set is similar to Linux 2.4 but with different details. Jails (FreeBSD's process-isolation feature) are more mature than Linux's chroot-based approach. The packet filter (ipfw) is similar to iptables but with somewhat different semantics.
What I am doing with it
The host will run a small file-sharing service for friends — replacing a Linux server that was approaching end-of-life anyway. The deployment is low-risk; if FreeBSD does not work out, I can migrate back without much cost.
The diversity benefit is the main reason; the operational details are secondary. Adding a third platform to my repertoire is meaningful even if the day-to-day experience is similar.
What I am taking from this
FreeBSD is a credible security platform. Anyone considering platform diversity should look at it alongside Linux and OpenBSD. The cost of adding it to a multi-platform deployment is modest; the diversity benefit is real.
More as the experiment continues.