Re: [osol-discuss] Using OpenSolaris as a security gateway
For the stated requirements, I'd tend to go with OpenBSD, largely because the features you're asking after are well-documented and extremely mature. I particularly appreciate the functionality in pf that provides a great deal of IP stack protection (e.g. fragment reassembly and synproxy, where the latter can also help with plugging covert channels via TCP SEQ/ACK IDs) in a stateful firewall. For high- availability, pfsync, carp and OSPF are a very nice stack on the front end, while there's ample functionality to provide load-balancing on the back end. Solaris has plenty of networking features for load balancing and HA, but I'd tend to think that the firewall features in OpenBSD are somewhat more compelling. Not sure exactly what you need with respect to VPNs, but there's quite a lot OpenBSD can do in that department. For IDS/IPS, I'm not current on all the tools in the area, but I'd expect much of the code to be fairly portable, with some weight in OpenBSD's favour, given its long-standing strength as manageable and secure platform. I'd really like to see pf and friends ported to OpenSolaris, although I gather that the refactoring of the IP stack away from using the old streams-based approach will make this a challenge (or so I've gathered from reading up on where the ipfilter port is headed). There's quite a bit of work being done in the -current release of OpenBSD in anticipation of thte 4.7 release, so perhaps that might be the code to port once it's released. It would be nice to see come cross- pollination between the platforms (port pf to OpenSolaris, port DTrace to OpenBSD and maybe ZFS, although as CDDL ports, they'll never get into the core distribution, which is strictly BSD-licensed, which is much of the reason that ipfilter ended up being replaced). Am 5 Jan 2010 um 14:48 schrieb carlopmart: Hi all, I need to deploy a new perimetral security infraestructure to install the following services: - High availability and load balacing firewalls - VPNs - IDS/IPS My first choice to install this scenario is to use openBSD, but will be possible to do this with opensolaris?? The mos important point is high availability features ... Thanks. -- CL Martinez carlopmart {at} gmail {d0t} com ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] Using OpenSolaris as a security gateway
For the stated requirements, I'd tend to go with OpenBSD, largely because the features you're asking after are well-documented and extremely mature. I particularly appreciate the functionality in pf that provides a great deal of IP stack protection (e.g. fragment reassembly and synproxy, where the latter can also help with plugging covert channels via TCP SEQ/ACK IDs) in a stateful firewall. For high- availability, pfsync, carp and OSPF are a very nice stack on the front end, while there's ample functionality to provide load-balancing on the back end. Solaris has plenty of networking features for load balancing and HA, but I'd tend to think that the firewall features in OpenBSD are somewhat more compelling. Not sure exactly what you need with respect to VPNs, but there's quite a lot OpenBSD can do in that department. For IDS/IPS (including honeypots), I'm not current on all the tools in the area, but I'd expect much of the code to port, with some weight in OpenBSD's favour, given its strength as manageable and secure platform. I'd really like to see pf and friends ported to OpenSolaris, although I gather that the refactoring of the IP stack away from using the old streams-based approach will make this a challenge. There's quite a bit of work being done in the -current release of OpenBSD in anticipation of thte 4.7 release, so perhaps that might be the code to port once it's released. It would be nice to see come cross-pollination between the platforms (port pf to OpenSolaris, port DTrace to OpenBSD and maybe ZFS, although as CDDL ports, they'll never get into the core distribution, which is strictly BSD-licensed, which is much of the reason that ipfilter ended up being replaced). Am 5 Jan 2010 um 14:48 schrieb carlopmart: Hi all, I need to deploy a new perimetral security infraestructure to install the following services: - High availability and load balacing firewalls - VPNs - IDS/IPS My first choice to install this scenario is to use openBSD, but will be possible to do this with opensolaris?? The mos important point is high availability features ... Thanks. -- CL Martinez carlopmart {at} gmail {d0t} com ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] Using OpenSolaris as a security gateway
- High availability and load balacing firewalls If you know OpenBSD and especially its pf(4) then you will know after test of IPf that pf(4) is a way better - VPNs There is no tun(4) device in OpenSolaris so no OpenVPN, vpnc and so on. Yes, you can compile it, but no support for it from Sun or community - IDS/IPS I'm not sure here, but OpenBSD has much more packages available then OpenSolaris. BTW I found this http://www.sguil.net/ thanks to this video http://www.youtube.com/watch?v=UM4ZrsOjmNQ And what's most important with OpenSolaris release you don't have any updates for free; even security. You must pay to Sun for that. You can use dev builds to receive security and normal updates for free, but after some time with build you will discover that there is too much bugs in them so I don't think that it's something usable for security related stuff. I'm still waiting for OS which will have similar quality like OpenBSD. But if you are looking for storage server or developer machine for Java or some other languages then you will be happy with OpenSolaris. -- This message posted from opensolaris.org ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] Using OpenSolaris as a security gateway
On Fri, Jan 08, 2010 at 01:41:32AM -0800, Anon Y Mous wrote: > > do you know if MAC is also available in the OpenSolaris 2009.06? I.e. I > > assume > > this is mandatory access control implementation from trusted solaris > > edition, right? > > > Thanks, > > Karel > . . > > Nobody ever said that configuring Trusted Extensions would be easy ;-) Actually, it's quite easy: http://blogs.sun.com/gfaden/entry/using_the_dev_repository_with (focus on, among others, txzonemgr(1M)). /j. ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] Using OpenSolaris as a security gateway
> do you know if MAC is also available in the OpenSolaris 2009.06? I.e. I > assume > this is mandatory access control implementation from trusted solaris edition, > right? > Thanks, > Karel @kgardas, if you look at the "What's New in OpenSolaris 2008.11" page here: http://www.opensolaris.com/learn/features/whats-new/200811/ and go to the "6. New Packages" part and scroll down a bit you will see the following packages were added to the main IPS repository starting with that release: SUNWterminator Multiple GNOME terminals in one window SUNWtgnome-l10n-ui-de GNOME Trusted Extensions software message files SUNWtgnome-l10n-ui-es GNOME Trusted Extensions software message files SUNWtgnome-l10n-ui-fr GNOME Trusted Extensions software message files SUNWtgnome-l10n-ui-it GNOME Trusted Extensions software message files SUNWtgnome-l10n-ui-ja GNOME Trusted Extensions software message files SUNWtgnome-l10n-ui-ko GNOME Trusted Extensions software message files SUNWtgnome-l10n-ui-ptBR GNOME Trusted Extensions software message files SUNWtgnome-l10n-ui-ru GNOME Trusted Extensions software message files SUNWtgnome-l10n-ui-sv GNOME Trusted Extensions software message files SUNWtgnome-l10n-ui-zhCN GNOME Trusted Extensions software message files SUNWtgnome-l10n-ui-zhHK GNOME Trusted Extensions software message files SUNWtgnome-l10n-ui-zhTW GNOME Trusted Extensions software message files SUNWtgnome-tsol-libsGNOME Trusted Extensions Libraries - platform SUNWtgnome-tsoljdsdevmgrGNOME Trusted Device Manager SUNWtgnome-tsoljdslabel GNOME Trusted Extensions Session Label Selector SUNWtgnome-tsoljdsselmgrGNOME Trusted Extensions Selection Manager SUNWtgnome-tstripe GNOME Trusted Stripe SUNWtgnome-xagent GNOME Trusted Xagent SUNWtop top - provides a rolling display of top cpu So I think it's safe to assume that the entire GNOME trusted Solaris GUI has available since OpenSolaris 2008.11, but that the components that it is made of are squirreled away somewhere in pkg.opensolaris.org and that the onus is on the system administrator to figure out what packages he needs to install and how to configure them to get the features he wants working in OpenSolaris 2009.06 Nobody ever said that configuring Trusted Extensions would be easy ;-) -- This message posted from opensolaris.org ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] Using OpenSolaris as a security gateway
check http://blogs.sun.com/gfaden/entry/trusted_extensions_in_opensolaris_2000 There are other relevant parts of the blog too you might want to read. specially if you're willing to run the dev branch On Wed, Jan 6, 2010 at 4:23 AM, Karel Gardas wrote: >> Another powerful security feature that Solaris 10 has >> that OpenBSD doesn't have is trusted extensions: >> >> >> ttp://osug.org.ua/wp-content/uploads/2008/03/screensho >> t.png >> >> If you look at the link above you can see that the >> different windows and documents are classified at >> different levels of security and it's not possible to >> copy and paste from a more secret / classified window >> into a less secret / classified window. AFAIK, >> OpenBSD does not have this capability built in in a >> default install. > > Hello, > > do you know if MAC is also available in the OpenSolaris 2009.06? I.e. I > assume this is mandatory access control implementation from trusted solaris > edition, right? > > Thanks, > Karel > -- > This message posted from opensolaris.org > ___ > opensolaris-discuss mailing list > opensolaris-discuss@opensolaris.org > ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] Using OpenSolaris as a security gateway
> Another powerful security feature that Solaris 10 has > that OpenBSD doesn't have is trusted extensions: > > > ttp://osug.org.ua/wp-content/uploads/2008/03/screensho > t.png > > If you look at the link above you can see that the > different windows and documents are classified at > different levels of security and it's not possible to > copy and paste from a more secret / classified window > into a less secret / classified window. AFAIK, > OpenBSD does not have this capability built in in a > default install. Hello, do you know if MAC is also available in the OpenSolaris 2009.06? I.e. I assume this is mandatory access control implementation from trusted solaris edition, right? Thanks, Karel -- This message posted from opensolaris.org ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] Using OpenSolaris as a security gateway
I personally would not use OpenSolaris for a minimal firewall appliance because the OpenSolaris 2009.06 "Caimain" installer is very inflexible: It forces you to use DHCP (there's no way to set a static IP address set during the installation process- and you obviously don't want "network auto-magic" and avahi running on a firewall) and it also forces you to install a fully functional GNOME desktop X-windows environment (whether you want it to install this or not), and obviously in a minimal firewall setup you wouldn't want GNOME running because it adds more potential security vulnerabilities. If you're doing a firewall and want to use Solaris I would go with the free download of Solaris 10 U9: http://www.sun.com/software/solaris/get.jsp or if you really need crossbow for virtualized networking maybe try Solaris Express but be warned that Solaris Express is an unstable development product that is in the process of being killed off by the Solaris community, so make sure you download it fast, because it is currently at build 129 and will be discontinued after build 130. You can use the Solaris 10 installer (see pictures below): http://www.sun.com/software/solaris/howtoguides/installationhowto.jsp and you can use "Interactive Text Console Session" to do a text install and assign a static IP address and only install a very small, minimal amount of packages (no GNOME desktop or X-windows) to the firewall. In my opinion, OpenBSD is probably the best OS for firewalls if all you want is a firewall (and nothing else) because it has the newer "pf" firewall: http://www.openbsd.org/faq/pf/ which has more features than the older BSD ipfilter firewall has in Solaris. However, Solaris 10 has some very slight security advantages over OpenBSD on very large multi-user servers in large organizations (government, corporations, military, etc.) where you need fine grained security permissions and don't want to give all power to a single "root user". Here is an example of a very powerful security feature in Solaris 10 that I don't think exists in OpenBSD: http://blogs.sun.com/gbrunett/entry/enforcing_a_two_man_rule Another powerful security feature that Solaris 10 has that OpenBSD doesn't have is trusted extensions: http://osug.org.ua/wp-content/uploads/2008/03/screenshot.png If you look at the link above you can see that the different windows and documents are classified at different levels of security and it's not possible to copy and paste from a more secret / classified window into a less secret / classified window. AFAIK, OpenBSD does not have this capability built in in a default install. -- This message posted from opensolaris.org ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org