Bsdcan—The Technical BSD Conference

Bsdcan—The Technical BSD Conference

noyance. To address this, one must express to the user— IBM’s attitude toward open source, eventually convincing clearly and concisely—the nature of the decision to be the company to become involved in many open-source made and its impact. The authors consider the role of on - communities such as the Apache Foundation and Linux line help in aiding the user to make intelligent security de - kernel development. Venema concluded his talk by hu - cisions. morously alluding to the fact that even though his original There are several forms of online help, including docu - motivation in writing Postfix was to provide an alternative mentation, context-sensitive help, assistants, wizards, stag - to the complexity of Sendmail, the number of lines of code n Postfix has now exceeded that in Sendmail. However, he ing, and social navigation. Staging refers to the process of i training the user in steps toward more advanced security now considers the feature set of Postfix to be more or less aims (e.g., training the user on one new security idea per complete. day). Social navigation refers to the practice of showing Recent Improvements to the FreeBSD Ports Monitoring the statistics for each decision for other users on the net - System work; this is controversial because the majority may in fact Mark Linimon choose incorrectly. Several capability matrices show the Summarized by Bill Moran ([email protected]) strengths and weaknesses of each approach but in the end all are less than reliable and offer no substitute for built-in Mark Linimon provided some demonstrations of his ongo - security mechanisms that cannot be overridden. The au - ing work to tame the FreeBSD ports system. The FreeBSD thors indicate a “slight preference” for wizard-based mech - ports system provides a convenient method for building anisms in cases where changes are made infrequently. and installing third-party software on FreeBSD, and it currently includes over 17,000 applications. Mark has done a great deal of work creating a reporting mechanism BSDCan—The Technical BSD Conference that summarizes much of the development of the ports system so that problems can be more easily discovered Ottawa, Canada and addressed. The results of his efforts can be seen at May 18–19, 2007 http://portsmon.freebsd.org/. USENIX is a Gold Level Sponsor of this event. Network Stack Virtualization for FreeBSD 7.0 Open Source Security Lessons Marko Zec Wietse Venema Summarized by Bill Moran ([email protected]) Summarized by Julian C. Dunn ([email protected]) Marko Zec (http://www.tel.fer.hr/zec/) demonstrated his Wietse Venema is perhaps most well-known as the author work virtualizing the FreeBSD network stack. By abstract - of the Postfix mail transport agent, which is arguably just ing the vnet structure an additional layer, Marko was able as popular as Sendmail, the granddaddy of all mail trans - to create completely independent networking environ - port agents. He began his talk with an amusing interlude ments within a single FreeBSD instance, each with its own showing how difficult it is to quantify the popularity of IP information and routing table, thereby providing an ex - Postfix using Google Trends, given that the term “Postfix” cellent opportunity to use FreeBSD as a network research has multiple definitions. platform or to improve FreeBSD’s existing jail system. A Before Postfix, Venema was instrumental in creating live CD is available for download from http://www.tel.fer SATAN (Security Administrator’s Tool for Analyzing Net - .hr/imunes/, and Marko is working to get his improve - works) and, prior to that, the widely deployed TCP Wrap - ments merged into the mainline FreeBSD source tree. pers, which continues to be shipped with many open- Varnish HTTP Accelerator source operating systems. He shared some of the lessons Poul-Henning Kamp learned from his time spent in the open-source security space, not only in terms of the technology but in terms of Summarized by Julian C. Dunn ([email protected]) publicity as well. For example, Venema showed several Poul-Henning Kamp is a FreeBSD kernel developer who media quotations prior to the release of SATAN that has worked on a multitude of both kernel-space and “user - claimed the tool would cause widespread destruction on land” applications ranging from disk encryption to embed - the Internet. Of course, when the tool was released, no ap - ded systems. Lately, he has been working on the Varnish preciable increase or decrease in system compromises was HTTP Accelerator project (http://varnish.projects.linpro recorded, according to the various CERT organizations .no/), which aims to provide inbound HTTP acceleration Venema surveyed. for busy Web sites such as VG (http://vg.no), the Web site for a popular Norwegian newspaper. Venema has had much better media relations around the release of Postfix, claiming that a single New York Times ar - Kamp began by explaining why Squid, the classic HTTP ticle heralding the release of the “IBM Secure Mailer” proj - caching solution, is programmed poorly. He outlined the ect (as Postfix was then known) single-handedly changed methods in which it “fights the kernel” by trying to explic - ;LOGIN: AUGUST 2007 CONFERENCE SUMMARIES 105 itly separate memory and disk storage. He denounced this to significantly improve the speed and bandwidth usage by methodology, saying that because the kernel provides vir - writing a customized compression program called bsdiff tual memory services there is no need for user applications that is aware of byte substitutions. I was also interested to to do this work. Doing so results in excessive system calls, hear Colin describe existing technologies, such as HTTP which lowers performance. In contrast, Varnish simply al - pipelining and DNS SRV records, that are largely unused locates large objects in virtual memory and lets the kernel but could solve many problems plaguing the Internet. manage memory in the optimal way. How Open Source Projects Survive Poisonous People Varnish also maximizes performance in many other ways Brian Fitzpatrick and Ben Collins-Sussman by using careful programming tactics, for example, by Summarized by Bill Moran ([email protected]) avoiding expensive text-processing operations if they can be avoided. In addition, Varnish’s configuration language Being a member of several groups (not all of them open (VCL) is preprocessed and compiled into binary, then dy - source software groups), I decided to attend the lecture by namically loaded for speed. Multiple configurations can be Ben Collins-Sussman and Brian Fitzpatrick on how groups loaded concurrently and an interactive command-line in - can survive poisonous people. Ben and Brian took turns terface (CLI) manager can switch configurations, in addi - covering various aspects of four tenets: comprehension, tion to doing other cache operations such as purging ob - fortification, identification, and disinfection. I found their jects, retrieving cache statistics, and so on. insights enlightening, but the highlight was when they asked the room if anyone knew what “bikeshed” referred Future work on Varnish will see features such as edge side to, only to find that not only did everyone in the room includes and URL rewriting added. Kamp hopes to eventu - know, but the man who popularized the phrase, Poul-Hen - ally see the project moved under the auspices of the ning Kamp, was sitting in the back of the room. Apache Software Foundation, as there would be a natural synergy with the Apache HTTP Daemon. Failover and Load Balancing with pfSense FreeBSD Security Features Scott Ullrich and Chris Buechler Summarized by Chris Buechler ([email protected]) Robert Watson Summarized by Bill Moran ([email protected]) I was one of the presenters for this session and a co- founder of this project. pfSense is a FreeBSD-based firewall Robert Watson (http://www.watson.org/~robert/) gave an distribution using OpenBSD’s pf packet filter, with a Web excellent overview of his ongoing work extending the interface for configuring all aspects of the system. This FreeBSD security model, first providing an overview of presentation focused on the failover and load balancing ACLs (access control lists). ACLs offer an extremely flexi - functionality available in the system. ble method of describing permissions on filesystem ob - jects. Unfortunately, the two leading systems of ACLs, Five main topics were covered: CARP, multi-WAN failover, POSIX and NT, are not compatible. FreeBSD supports policy-based routing and failover, DNS failover, and in - POSIX ACLs, but there is interest in supporting NT ACLs, coming and outgoing load balancing. since NFSv4 uses them. Robert also described the powerful CARP allows for seamless hardware failover, to accommo - security auditing tools introduced in FreeBSD 6.2. These date hardware failure, or firewall maintenance and up - tools are required by Orange Book and other evaluations grades without loss of connectivity. Typical CARP configu - and provide a method for fine-grained monitoring of sys - rations and deployments were discussed. tems. FreeBSD’s audit tools are based on Solaris and Mac OS, but these tools can be extended with the concept of Multi-WAN failover allows the use of multiple Internet audit pipes, which allow the administrator to create multi - connections, and upon failure of a connection, the remain - ple filters of audit events. Finally, Robert covered manda - ing WAN connection(s) can be automatically used to tory access controls (MACs), which supplement discre - maintain connectivity. Common deployment scenarios tionary access controls (such as filesystem permissions). If were illustrated and discussed. you’ve worked with SE Linux, the MAC framework will Policy-based routing and failover enables routing of traffic feel familiar. based on IP protocol, TCP or UDP port, and source or des - tination IP, among other possibilities. Upon failure of the Portsnap preferred routing destination, backup destinations can be Colin Percival utilized.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    3 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us