Openbsd in the Corporate Environment

Puffy Suits Up OpenBSD in the corporate environment

Jasper Lievisse Adriaanse Engineering team, m:tier

Latinoware 2013, Foz do Iguaçu Oct. 16 – Oct. 18, 2013 Agenda

● Introduction

● m:tier

● OpenBSD

● Enterprise OpenBSD

● GNOME

● Closing

Latinoware 2013 Page 2 of 43 Introduction

Latinoware 2013 Page 3 of 43 What?

Because security is not an afterthought

Latinoware 2013 Page 4 of 43 Why?

The internet is a hostile environment

Latinoware 2013 Page 5 of 43 Latinoware 2013 Page 6 of 43 Who?

● Who am I?

● Jasper Lievisse Adriaanse – OpenBSD – GNOME – Puppet ● Involved in m:tier since it's founding in 2008

Latinoware 2013 Page 7 of 43 m:tier

Latinoware 2013 Page 8 of 43 m:tier

● Who are we?

● OpenBSD developers

● Breathe open source

● Secure system architects

Latinoware 2013 Page 9 of 43 m:tier

● What do we do?

● OpenBSD

● Puppet

● Zabbix

● Bacula

● Open Source Software consultancy / implementation

Latinoware 2013 Page 10 of 43 m:tier

● But also

● OpenBSD Long Term Support

● Thin Client

● Binary patches

● GNOME for OpenBSD

● GNOME automounter for BSD – opensource.mtier.org

Latinoware 2013 Page 11 of 43 m:tier

● “Talk is cheap, show me the code”

● Intel KMS support

● Radeon KMS support

● Linux emulation improvements

● Signed packages

Latinoware 2013 Page 12 of 43 State of the world

Latinoware 2013 Page 13 of 43 State of the World

Governments and companies are snooping...

...on a massive scale!

Latinoware 2013 Page 14 of 43 State of the World

● Can you still trust closed source US software?

● Cisco PIX

● Checkpoint

● Dropbox

● iCloud

● ...

Latinoware 2013 Page 15 of 43 State of the World

● No, and why should you?

● Because the US can be trusted.

● Because the NSA would never spy on you.

● Because we can trust the NSA will be held accountable

That's a good joke!

Latinoware 2013 Page 16 of 43 What can we trust

Latinoware 2013 Page 17 of 43 OpenBSD

Latinoware 2013 Page 18 of 43 OpenBSD!

● OpenBSD?

● Unix-like, multi-platform operating system.

● Derived from 4.4BSD, NetBSD fork.

● Kernel + userland + documentation maintained together.

● 3rd party applications available via the ports system

● Anoncvs, OpenSSH, OpenBGPD, strlcpy(3)/strlcat(3), etc

● Most importantly...

Latinoware 2013 Page 19 of 43 OpenBSD

...it is secure.

Latinoware 2013 Page 20 of 43 OpenBSD

● Secure and correct

● Complexity introduces bugs

● Security and stability over features – Does not mean stagnation ● No Americans allowed to work on crypto

● No blobs

Latinoware 2013 Page 21 of 43 OpenBSD

● “NSA-proof”

● Everyone (capable and trusted) allowed to work on crypto – except Americans, sorry.. ● Continuous auditing of all sources

● FBI + IPsec rumour – Publicly auditing the stack resulted in two unrelated bug fixes

Latinoware 2013 Page 22 of 43 OpenBSD

● Who would use OpenBSD? (I)

● Anyone who needs a super secure system.

● Anyone who doesn't want to worry about exploits.

Latinoware 2013 Page 23 of 43 OpenBSD

● Who would use OpenBSD? (II)

● Home users

● Small/medium businesses

● Large corporations (Adobe, etc)

● Power/gas/water companies

● Research centers (NASA, etc)

● Internet Exchanges

● Secret services..

Latinoware 2013 Page 24 of 43 Enterprise OpenBSD

Latinoware 2013 Page 25 of 43 Enterprise OpenBSD

● Enterprise setting

● Constraints – Budgets – Deadlines ● Protecting company assets – Business/trade secrets – Customer data

Latinoware 2013 Page 26 of 43 Enterprise OpenBSD

● What can OpenBSD offer?

● Firewall

● Routing

● VPN

● Mail

● Desktop

● ...much, much, more!

Latinoware 2013 Page 27 of 43 Enterprise OpenBSD

● Firewall

● PF

● Tightly coupled with anti-spam/greylisting

● ramdisk

Latinoware 2013 Page 28 of 43 Enterprise OpenBSD

● Routing

● OpenBGPD

● OpenOSPFD

● MPLS

● DVMRP

Latinoware 2013 Page 29 of 43 Enterprise OpenBSD

● VPN

● IPsec

● OpenIKED

● isakmpd

● “Government problems”

Latinoware 2013 Page 30 of 43 Enterprise OpenBSD

● Mail (I)

● OpenSMPTD – Started as sub-project – 15 Postfix server → 1 OpenSMTPD server

Latinoware 2013 Page 31 of 43 Enterprise OpenBSD

● Mail (II)

● spamd – greylisting – tarpitting

Latinoware 2013 Page 32 of 43 Enterprise OpenBSD

● Mail (III)

● Zarafa – groupware

● calendar ● addressbook ● mail!

Latinoware 2013 Page 33 of 43 Enterprise OpenBSD

● Desktop (I)

● Thin client – NX – VNC – SPICE – Puppet

Latinoware 2013 Page 34 of 43 m:tier

Latinoware 2013 Page 35 of 43 Enterprise OpenBSD

● Desktop (II)

● Immune to virus infections

● Own ACPI implementation

● KMS for Intel and Radeon

Latinoware 2013 Page 36 of 43 Enterprise OpenBSD

● Desktop (III)

● Free, but comes at a cost – no Flash – no minesweeper.exe

Latinoware 2013 Page 37 of 43 m:tier

Latinoware 2013 Page 38 of 43 Puppet

● Puppet

● One master

● Three continents

● OpenBSD everywhere

Latinoware 2013 Page 39 of 43 GNOME

Latinoware 2013 Page 40 of 43 GNOME

● GNOME on OpenBSD

● co-maintainer with ajacoutot@

● Tremendous challenge

● Tremendous progress

Latinoware 2013 Page 41 of 43 GNOME

● Current status

● OpenBSD lacks udev/systemd

● GNOME 3.10 on OpenBSD [video]

Latinoware 2013 Page 42 of 43 Thank you!

mail: [email protected] / [email protected] www: www.mtier.org twitter: @jasper_la / @mtierltd

Latinoware 2013 Page 43 of 43