Another Business Case for Integrating OpenBSD into IT Infrastructures
Greetings, At the recent PacSec conference in Tokyo, I demonstrated how we can easily secure wireless networks with OpenBSD. This solution uses IPsec to protect the traffic between the wireless clients and the Access Points. Users authenticate using OpenSSH (authpf) before they are allowed access to network resources. All of this is automated making it user friendly and very secure. Near the end of the presentation, I spoke about the future of wireless networks using OpenBSD as Access Points. Both hostapd and sasyncd are very recent additions to OpenBSD. I gave everyone a taste of the future with a live demonstration showing stateful failover of a VPN tunnel using sasyncd. The presentation in HTML can be seen here: http://www.openbsd-support.com/jp/en/htm/mgp/index.shtml The PDF can be found here: http://www.pacsec.jp/core05/psj05-scomeau-en.pdf Conference site: http://www.pacsec.jp/ Enjoy! -- World Security Pros. Cutting Edge Training, Tools, and Techniques London, England * February 20/21 2006 * http://eusecwest.com/
Re: A Business Case for integrating OpenBSD into IT Infrastructures
hi misc@, which hardware r u talking about for example? we'd like to use such real servers, but we can't decide what vendor to choose. we definitely do not want to build our own server (taking the raid controller from vendor x and the disks from vendor y, having an overkill xeon mabo from z and so on). we'd like to have on-site hw-support at least next day (being in austria this is not possible with all the big server-sellers) our favourite was/is HP's DLxxx series, but mickey@ is working on the ciss-port for their storage controllers and we don't know when it's stable for production use... any experience values which vendor to choose servers from? and of course, where the newer hardware is fully supported by openbsd? Avoid relying on cheap hardware to make your cost point. OpenBSD runs well on real, modern servers. Managers at mid/large companies aren't going to want to hear about how you pulled machines out of the trash and now the business depends on them, even if they're 4x redundant.
Re: A Business Case for integrating OpenBSD into IT Infrastructures
Hi Steve, I was happy to get your comments and was not offended by anything you said. I'm very happy to learn from anyone, especially if it is going to improve the presentation. You made some good points that I will use going forward :) My objective is really to prove by example experience the myriad of benefits gained by integrating OpenBSD into corporate IT Infrastructures. Of course, smaller companies would benefit just as much and would probably appreciate the savings even more so. I'm just here spreading the word :) Thanks once again. Cheers, Mark Uemura OpenBSD Support Japan Inc. www.openbsd-support.com On Wed, Jun 08, 2005 at 11:35:52AM -0400, [EMAIL PROTECTED] wrote: Just so you know, aside from my criticisms (which were misdirected since I completely misunderstood the purpose of your talk) I thought you put together an excellent presentation. That probably didn't come through in my email. Please keep up the good work.
Re: A Business Case for integrating OpenBSD into IT Infrastructures
On 6/10/05, mdff [EMAIL PROTECTED] wrote: : Steve Shockley writes: Avoid relying on cheap hardware to make your cost point. OpenBSD runs well on real, modern servers. any experience values which vendor to choose servers from? and of course, where the newer hardware is fully supported by openbsd? I'm facing the same issues -- I need to be able to specify a model from a reputable vendor for rackmount servers when presenting projects to management. Where raw network throughput is not an issue I will deploy Sun hardware with OpenBSD/Sparc64, but am starting to get the feeling Sparc64 isn't a high-priority platform for OpenBSD developers (Do I need to switch to AMD64?). It's easiest (politically) for me to purchase Dell products, but this is where fully supported by OpenBSD is a concern. we'd like to have on-site hw-support at least next day (being in austria this is not possible with all the big server-sellers) http://www.openbsd.org/support.html#Austria Kevin Kadow
Re: A Business Case for integrating OpenBSD into IT Infrastructures
mdff wrote: our favourite was/is HP's DLxxx series, but mickey@ is working on the ciss-port for their storage controllers and we don't know when it's stable for production use... I usually wind up using older Compaq and HP servers for OpenBSD, where they used either Megaraid, old Adaptec or Smart/2 RAID, and they work fine in OpenBSD. I haven't tried them, but I understand the HP DL145s work well, but they're not RAID or hot-swap. The Dell PERC 4e/Si seems to be an LSI RAID controller, so it's possibly well-supported. That seems to be the built-in RAID on the PowerEdge 1850 and others. I've heard Suns v20z servers are good, but if you search the archives I think you can find out the company that OEMs them if you don't need the support. I dunno what's inside. I think IBM's RAID controllers are unsupported.
Re: A Business Case for integrating OpenBSD into IT Infrastructures
On Mon, June 6, 2005 9:48 am, Mark Uemura wrote: Thanks for taking the time to provide me with your feedback. I'm not adverse to getting or taking criticism if I'm wrong and/or if I learn something. As my very close father-like friend says to me, Mark, if you're not careful, you'll learn something everyday! :) Just so you know, aside from my criticisms (which were misdirected since I completely misunderstood the purpose of your talk) I thought you put together an excellent presentation. That probably didn't come through in my email. Please keep up the good work.
Re: A Business Case for integrating OpenBSD into IT Infrastructures
This is a Very Nicely Done Presentation! Dave Feustel Hi Dave, Thanks a lot for this. I'm glad that people like it because it was a lot of work to put it together. More so than building and configuring systems ;) Actually, I did get a lot of help along the way and Ryan McBride who was really my inspiration. I essentially scarfed his amazing carp demo and put a little business case together. Bob Beck, David Gwynne, Jonathan Gray and Michael Paddon all gave me great suggestions and support. I can't forget the guys and gals that made it all possible. Thanks to the developers, documentors and supporters that are equally passionate about OpenBSD and Security. I'm just having fun and enjoying the ride :) Cheers, Mark Uemura OpenBSD Support Japan Inc. www.openbsd-support.com P.S. Thanks Theo!
Re: A Business Case for integrating OpenBSD into IT Infrastructures
Ray Percival wrote: To start with http://www.schneier.com/pptp.html and also because I for one don't trust *any* security related code that I can't get the source for. I think I'm not alone here by any means. You're talking about PPTP, I'm talking about IPsec. Fact of the matter is we can look at the OpenSSH code and see if the problems that we know about are fixed or not. You can't do that with closed source. So do you really want to trust your data going over a public network to a vendor with Microsoft's rep for getting crypto and security wrong? You're talking about MS PPTP vs. OpenSSH, I'm talking about MS IPsec VPN vs. third-party VPN hardware (Checkpoint, Intel, Cisco).
Re: A Business Case for integrating OpenBSD into IT Infrastructures
Theo de Raadt wrote: Lots of commentary from you, Steve... is that why you are the one giving the talks? I'm not sure I have anyone to give a talk to, and I haven't done anything quite as interesting (or large-scale) as this with OpenBSD. (Besides, isn't it less talk, more code? Of course I'm probably better at talking than coding.)
Re: A Business Case for integrating OpenBSD into IT Infrastructures
(Besides, isn't it less talk, more code? Of course I'm probably better at talking than coding.) Actually, I don't know why, but people keep getting the sentence wrong, for no good reason. The real sentence is ``less talk, more cheese''. Note that, I have a list if you somehow can't find good cheese to order. Miod
Re: A Business Case for integrating OpenBSD into IT Infrastructures
Mark Uemura wrote: six month prior to me taking over the SysAdmin position. Ah, see when I read the slides, I got the impression that you came in as a consultant to do all this, not that you did it all in-house. I for one have problems putting a Windows Server on the Internet. Even within a DMZ and hardened as much as I know how. I just wouldn't be able to sleep at nights. Oh, it'd be fine, for at least several minutes. If there is a Secure Commercial Wireless Solution that even comes close to the solution that I have implemented in regards to the OpenBSD's security track record, usability, interoperability and ease of use, ease of administration and cost, then please do enlighten me. (If I knew of one that existed, I would have mentioned it.) The basis of what was implemented are on the slides. You mention authpf in a negative sense. I think it was the best thing developed since sliced bread :) That's not totally true. OpenBSD on Zaurus, PF, CARP and SPAMD are also right up there ;) I'm not trying to be negative towards authpf, I'm trying to describe reasons someone might have to not use it. I don't like all the crap Cisco makes you install to use their solution either. VPN: Why the hell does everyone hate the included Microsoft VPN? If you run an MS shop, it's easy and cheap. That uses IPsec, ISAKMP and PKI. Maybe because there's an easier, cheaper and more secure alternative! (Compared to Cisco or Intel, not OpenBSD.) It also has features to quarantine Windows clients that don't meet your criteria for system security. No comment. Why? If you've got untrusted/unmanaged Windows clients that can connect into the network (i.e. Bob from Accounting connecting in from his unprotected home machine) then this is useful. It's more for manageability than security. Obviously you've not run Checkpoint on Windows :) But that's okay, I wouldn't wish it on anyone 8-) By the way, in my talk, I do mention a point in time (August 2003) when I had to protect my firm standard Checkpoint Firewall with my OpenBSD Firewall due to an outbreak of 'nachi', 'msblaster' 'sobig' viruses. Imagine that, an OpenBSD firewall out in front protecting another firewall because it was going to 100% CPU utilization with dual CPU's! Heh. I've done the same thing with spamd and (anti-spam) mail servers, to add greylisting during a spam flood so the real servers could catch up.
A Business Case for integrating OpenBSD into IT Infrastructures
Hi All, I recently gave a talk that may interest some. I hope that it could be used by anyone presenting the merits of OpenBSD and related Projects as a business case for the corporate world. The slides can be used by anyone in any manner that would best benefit the Project. I've updated our company website with the presentation. http://www.openbsd-support.com/jp/en/htm/mgp/index.shtml I hope this helps others put forth a good case for OpenBSD in their working environment. Cheers, Mark T. Uemura OpenBSD Support Japan Inc. www.openbsd-support.com
Re: A Business Case for integrating OpenBSD into IT Infrastructures
Lots of commentary from you, Steve... is that why you are the one giving the talks? Mark Uemura wrote: I hope this helps others put forth a good case for OpenBSD in their working environment. Overall the presentation is well-done, but I take some exception with some of your conclusions on slide 34. I know when I talk to a vendor and get unrealistic comparisons, mentally that vendor is out the door. DNS: You don't need a dual P3 with 2gb for a DNS server in Windows. If the server isn't an AD controller, that P3/500 would be plenty. If it is an AD controller, then the server size depends on how many users you have, and to offer a good comparison, you'd have to size the OpenBSD machine for Kerberos and LDAP. (Same argument for DHCP, if you run a DHCP server on a dual P3, the server is going to be bored most of the time.) I also noticed you're comparing a PC to a server. For any OS, a real server will generally be a higher quality and more stable than a PC. PCs don't have hot-swap drives or power supplies. Again, this isn't a fair comparison. Remote access: Windows' built-in Remote Desktop is included with the OS, you don't need OpenBSD for that. You couldn't do that over your Intel VPN? Remote Desktop is potentially vulnerable to MITM, but it's probably more secure than an external web site like GoToMyPC. You can also install OpenSSH on your Windows machines and manage them with netsh or a variety of other command-line tools. Wireless: I'm not sure if Server 2003 can act as an AP, I haven't tried setting it up. It can, however, provide 802.1X authentication, which requires less end-user configuration (on Windows clients) than authpf. VPN: Why the hell does everyone hate the included Microsoft VPN? If you run an MS shop, it's easy and cheap. That uses IPsec, ISAKMP and PKI. It also has features to quarantine Windows clients that don't meet your criteria for system security. (Yes, the MS PPTP protocol had some weaknesses, but that was 1998. That'd be like avoiding OpenSSH because the SSH 1.0 protocol had some weaknesses.) Web: I assume you had some talking points here, specifically about privsep and code cleanup in OpenBSD's Apache. The biggest problems with IIS are from admins enabling it when they don't need to, or using IIS when another product would do. The Microsoft developers are even learning to run the web processes as low-privilege processes (Srv 2003 SP1), although third-party developers aren't paying attention. Besides, you can run Apache on Windows, so the core argument is between the trunk Apache and OpenBSD's Apache. IDS: Snort doesn't run on Windows? Firewall: I'm not familiar with Checkpoint, but their web site (http://www.checkpoint.com/products/downloads/firewall-1_datasheet.pdf) says that Checkpoint on Windows requires 256mb RAM and doesn't list processor requirements. Sounds like somebody just wanted to buy a big server. There's no good reason to have two processors in a firewall. Other comments: When you boil it down, the $500 for Server 2003 isn't really all that expensive for a mid-size or large company. CALs can make a difference in large companies, but that doesn't really come in to play here. You've made a good argument for using OpenBSD as a redundant firewall or access point, but that's more Cisco's domain than Microsoft's. Maybe find out if you can set up a redundant file server using OpenBSD/CARP, and compare that to active/passive Windows server clustering. Don't use Micro$oft, it makes you sound like a zealot, and hasn't been funny since 1992. Well, maybe leave it on slide 25, I like it contrasted with ChequePoint. Avoid relying on cheap hardware to make your cost point. OpenBSD runs well on real, modern servers. Managers at mid/large companies aren't going to want to hear about how you pulled machines out of the trash and now the business depends on them, even if they're 4x redundant. Slide 3: The first two paragraphs only preach to the converted. Maybe add a fourth bullet point, Your competitors are probably saving money using it, depending on your audience.
Re: A Business Case for integrating OpenBSD into IT Infrastructures
On Sun, Jun 05, 2005 at 10:25:39PM -0400, Steve Shockley wrote: Mark Uemura wrote: Remote access: Windows' built-in Remote Desktop is included with the OS, you don't need OpenBSD for that. You couldn't do that over your Intel VPN? Remote Desktop is potentially vulnerable to MITM, but it's probably more secure than an external web site like GoToMyPC. VPN: Why the hell does everyone hate the included Microsoft VPN? If you run an MS shop, it's easy and cheap. That uses IPsec, ISAKMP and PKI. It also has features to quarantine Windows clients that don't meet your criteria for system security. To start with http://www.schneier.com/pptp.html and also because I for one don't trust *any* security related code that I can't get the source for. I think I'm not alone here by any means. (Yes, the MS PPTP protocol had some weaknesses, but that was 1998. That'd be like avoiding OpenSSH because the SSH 1.0 protocol had some weaknesses.) No. It would be like SSH having well documented fundamental flaws and then a group with a reputation for producing bad code told us that they were all fixed but not letting us look at the code telling us that they are fixed. Fact of the matter is we can look at the OpenSSH code and see if the problems that we know about are fixed or not. You can't do that with closed source. So do you really want to trust your data going over a public network to a vendor with Microsoft's rep for getting crypto and security wrong? I sure as hell know I don't want to. -- BOFH excuse #99: SIMM crosstalk. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
