Puffy Suits Up OpenBSD in the corporate environment Jasper Lievisse Adriaanse Engineering team, m:tier Latinoware 2013, Foz do Iguaçu Oct. 16 – Oct. 18, 2013 Agenda ● Introduction ● m:tier ● OpenBSD ● Enterprise OpenBSD ● GNOME ● Closing Latinoware 2013 Page 2 of 43 Introduction Latinoware 2013 Page 3 of 43 What? Because security is not an afterthought Latinoware 2013 Page 4 of 43 Why? The internet is a hostile environment Latinoware 2013 Page 5 of 43 Latinoware 2013 Page 6 of 43 Who? ● Who am I? ● Jasper Lievisse Adriaanse – OpenBSD – GNOME – Puppet ● Involved in m:tier since it's founding in 2008 Latinoware 2013 Page 7 of 43 m:tier Latinoware 2013 Page 8 of 43 m:tier ● Who are we? ● OpenBSD developers ● Breathe open source ● Secure system architects Latinoware 2013 Page 9 of 43 m:tier ● What do we do? ● OpenBSD ● Puppet ● Zabbix ● Bacula ● Open Source Software consultancy / implementation Latinoware 2013 Page 10 of 43 m:tier ● But also ● OpenBSD Long Term Support ● Thin Client ● Binary patches ● GNOME for OpenBSD ● GNOME automounter for BSD – opensource.mtier.org Latinoware 2013 Page 11 of 43 m:tier ● “Talk is cheap, show me the code” ● Intel KMS support ● Radeon KMS support ● Linux emulation improvements ● Signed packages Latinoware 2013 Page 12 of 43 State of the world Latinoware 2013 Page 13 of 43 State of the World Governments and companies are snooping... ...on a massive scale! Latinoware 2013 Page 14 of 43 State of the World ● Can you still trust closed source US software? ● Cisco PIX ● Checkpoint ● Dropbox ● iCloud ● ... Latinoware 2013 Page 15 of 43 State of the World ● No, and why should you? ● Because the US can be trusted. ● Because the NSA would never spy on you. ● Because we can trust the NSA will be held accountable That's a good joke! Latinoware 2013 Page 16 of 43 What can we trust Latinoware 2013 Page 17 of 43 OpenBSD Latinoware 2013 Page 18 of 43 OpenBSD! ● OpenBSD? ● Unix-like, multi-platform operating system. ● Derived from 4.4BSD, NetBSD fork. ● Kernel + userland + documentation maintained together. ● 3rd party applications available via the ports system ● Anoncvs, OpenSSH, OpenBGPD, strlcpy(3)/strlcat(3), etc ● Most importantly... Latinoware 2013 Page 19 of 43 OpenBSD ...it is secure. Latinoware 2013 Page 20 of 43 OpenBSD ● Secure and correct ● Complexity introduces bugs ● Security and stability over features – Does not mean stagnation ● No Americans allowed to work on crypto ● No blobs Latinoware 2013 Page 21 of 43 OpenBSD ● “NSA-proof” ● Everyone (capable and trusted) allowed to work on crypto – except Americans, sorry.. ● Continuous auditing of all sources ● FBI + IPsec rumour – Publicly auditing the stack resulted in two unrelated bug fixes Latinoware 2013 Page 22 of 43 OpenBSD ● Who would use OpenBSD? (I) ● Anyone who needs a super secure system. ● Anyone who doesn't want to worry about exploits. Latinoware 2013 Page 23 of 43 OpenBSD ● Who would use OpenBSD? (II) ● Home users ● Small/medium businesses ● Large corporations (Adobe, etc) ● Power/gas/water companies ● Research centers (NASA, etc) ● Internet Exchanges ● Secret services.. Latinoware 2013 Page 24 of 43 Enterprise OpenBSD Latinoware 2013 Page 25 of 43 Enterprise OpenBSD ● Enterprise setting ● Constraints – Budgets – Deadlines ● Protecting company assets – Business/trade secrets – Customer data Latinoware 2013 Page 26 of 43 Enterprise OpenBSD ● What can OpenBSD offer? ● Firewall ● Routing ● VPN ● Mail ● Desktop ● ...much, much, more! Latinoware 2013 Page 27 of 43 Enterprise OpenBSD ● Firewall ● PF ● Tightly coupled with anti-spam/greylisting ● ramdisk Latinoware 2013 Page 28 of 43 Enterprise OpenBSD ● Routing ● OpenBGPD ● OpenOSPFD ● MPLS ● DVMRP Latinoware 2013 Page 29 of 43 Enterprise OpenBSD ● VPN ● IPsec ● OpenIKED ● isakmpd ● “Government problems” Latinoware 2013 Page 30 of 43 Enterprise OpenBSD ● Mail (I) ● OpenSMPTD – Started as sub-project – 15 Postfix server → 1 OpenSMTPD server Latinoware 2013 Page 31 of 43 Enterprise OpenBSD ● Mail (II) ● spamd – greylisting – tarpitting Latinoware 2013 Page 32 of 43 Enterprise OpenBSD ● Mail (III) ● Zarafa – groupware ● calendar ● addressbook ● mail! Latinoware 2013 Page 33 of 43 Enterprise OpenBSD ● Desktop (I) ● Thin client – NX – VNC – SPICE – Puppet Latinoware 2013 Page 34 of 43 m:tier Latinoware 2013 Page 35 of 43 Enterprise OpenBSD ● Desktop (II) ● Immune to virus infections ● Own ACPI implementation ● KMS for Intel and Radeon Latinoware 2013 Page 36 of 43 Enterprise OpenBSD ● Desktop (III) ● Free, but comes at a cost – no Flash – no minesweeper.exe Latinoware 2013 Page 37 of 43 m:tier Latinoware 2013 Page 38 of 43 Puppet ● Puppet ● One master ● Three continents ● OpenBSD everywhere Latinoware 2013 Page 39 of 43 GNOME Latinoware 2013 Page 40 of 43 GNOME ● GNOME on OpenBSD ● co-maintainer with ajacoutot@ ● Tremendous challenge ● Tremendous progress Latinoware 2013 Page 41 of 43 GNOME ● Current status ● OpenBSD lacks udev/systemd ● GNOME 3.10 on OpenBSD [video] Latinoware 2013 Page 42 of 43 Thank you! mail: [email protected] / [email protected] www: www.mtier.org twitter: @jasper_la / @mtierltd Latinoware 2013 Page 43 of 43.