Évaluation et améliorations des solutions de pare-feux redondants sous Linux et OpenBSD

Aebischer, Quentin

January 2014

L'accès permanent et sécurisé aux ressources, données et services proposés par une entreprise est devenu au fil des années un point critique dans la stratégie de mise en place de l'infrastructure réseau. Situé à l'entrée du réseau interne et chargé de faire respecter la politique de sécurité mise en place par l'administrateur, le pare-feu est bien souvent l'unique point d'accès par lequel transitent toutes les connexions avec l'extérieur, et représente de ce fait un unique point de défaillance potentiel (« single point-of-failure »). Afin de pallier cette faiblesse, plusieurs solutions de redondances de pare-feux ont vu le jour. Ce document a pour but de présenter, d'évaluer et de comparer deux solutions reconnues du monde du logiciel libre : les conntrack-tools sous Linux, et pfsync/CARP sous OpenBSD. On présente également une nouvelle implémentation de canaux d'échanges d'états de connexions entre les pare-feux sous Linux, basé sur le protocole TIPC.

Pare-feu

Linux

OpenBSD

Temps réel

Informatique

Réseau

Comparative study of operating system security using SELinux and Systrace

Öberg, Jonas

January 2009

<p>This thesis makes a comparative study of the security systemsSystrace (used primarily with OpenBSD) and SELinux (usedexclusively with Linux), trying to answer the question as to whichtype of security is offered by each respective system, and wheneach should be used. The key difference between SELinux andSystrace seems to be their mode of operation, where SELinux,built around the LSM framework in the Linux kernel, works withtype enforcement on files, sockets and other objects, whereasSystrace works on a strict system call basis. The two systems areseen to serve two different purposes which sometimes overlap,but in just as many cases provide solutions for entirely differentquality priorities.</p>

OpenBSD

Linux

security

SELinux

Systrace

Computer engineering

Datorteknik

A Comparative Study of Security Features in FreeBSD and OpenBSD

Persson, Magnus

January 2006

<p>Security in operating systems is a highly topical subject nowadays as the Internet keeps expanding. The larger the Internet gets the more systems, with valuable information, get connected, which could be subjects of attacks. An operating system needs to protect its information from these attacks. Many servers are using UNIX based operating systems and the security in these systems is a widely discussed topic.</p><p>This project is going to test and investigate the security in two of the most common UNIX distributions, both based on the Berkley Software Distribution (BSD). The selected systems are FreeBSD and OpenBSD. The Add-on called TrustedBSD/SEBSD for FreeBSD will also be a subject for this project. A comparison of the security features in the two systems was performed both theoretically and practically and this report reflects the results of these experiments and comparisons. A conclusion is that each system suits best in different environments with different needs. The selected distributions also have different level of security in specific areas. An introduction to security in operating systems on a general basis is provided before the actual comparison begins.</p>

FreeBSD

OpenBSD

UNIX

SEBSD

TrustedBSD

Computer science

Datavetenskap

??valuation et am??liorations des solutions de pare-feux redondants sous Linux et OpenBSD

Aebischer, Quentin

January 2014

L'acc??s permanent et s??curis?? aux ressources, donn??es et services propos??s par une entreprise est devenu au fil des ann??es un point critique dans la strat??gie de mise en place de l'infrastructure r??seau. Situ?? ?? l'entr??e du r??seau interne et charg?? de faire respecter la politique de s??curit?? mise en place par l'administrateur, le pare-feu est bien souvent l'unique point d'acc??s par lequel transitent toutes les connexions avec l'ext??rieur, et repr??sente de ce fait un unique point de d??faillance potentiel (?? single point-of-failure ??). Afin de pallier cette faiblesse, plusieurs solutions de redondances de pare-feux ont vu le jour. Ce document a pour but de pr??senter, d'??valuer et de comparer deux solutions reconnues du monde du logiciel libre : les conntrack-tools sous Linux, et pfsync/CARP sous OpenBSD. On pr??sente ??galement une nouvelle impl??mentation de canaux d'??changes d'??tats de connexions entre les pare-feux sous Linux, bas?? sur le protocole TIPC.

Pare-feu

Linux

OpenBSD

Temps r??el

Informatique

R??seau

Comparative study of operating system security using SELinux and Systrace

Öberg, Jonas

January 2009

This thesis makes a comparative study of the security systemsSystrace (used primarily with OpenBSD) and SELinux (usedexclusively with Linux), trying to answer the question as to whichtype of security is offered by each respective system, and wheneach should be used. The key difference between SELinux andSystrace seems to be their mode of operation, where SELinux,built around the LSM framework in the Linux kernel, works withtype enforcement on files, sockets and other objects, whereasSystrace works on a strict system call basis. The two systems areseen to serve two different purposes which sometimes overlap,but in just as many cases provide solutions for entirely differentquality priorities.

OpenBSD

Linux

security

SELinux

Systrace

Computer Engineering

Datorteknik

A Comparative Study of Security Features in FreeBSD and OpenBSD

Persson, Magnus

January 2006

Security in operating systems is a highly topical subject nowadays as the Internet keeps expanding. The larger the Internet gets the more systems, with valuable information, get connected, which could be subjects of attacks. An operating system needs to protect its information from these attacks. Many servers are using UNIX based operating systems and the security in these systems is a widely discussed topic. This project is going to test and investigate the security in two of the most common UNIX distributions, both based on the Berkley Software Distribution (BSD). The selected systems are FreeBSD and OpenBSD. The Add-on called TrustedBSD/SEBSD for FreeBSD will also be a subject for this project. A comparison of the security features in the two systems was performed both theoretically and practically and this report reflects the results of these experiments and comparisons. A conclusion is that each system suits best in different environments with different needs. The selected distributions also have different level of security in specific areas. An introduction to security in operating systems on a general basis is provided before the actual comparison begins.

FreeBSD

OpenBSD

UNIX

SEBSD

TrustedBSD

Computer Sciences

Datavetenskap (datalogi)

Lastbalanseringskluster : En studie om operativsystemets påverkan på lastbalanseraren

Liv, Jakob, Nygren, Fredrik

January 2014

Denna rapport innehåller en studie över ett operativsystems påverkan på lastbalanserarenHAproxy. Studien utfördes i en experimentmiljö med fyra virtuella testklienter, en lastbalanseraresamt tre webbservernoder kopplade till lastbalanseraren. Operativsystemet varhuvudpunkten i studien där belastningen på dess hårdvara, svarstiden, antalet anslutningarsamt det maximala antalet anslutninger per sekund undersöktes. De operativsystem somtestades var Ubuntu 10.04, CentOS 6.5, FreeBSD 9.1 och OpenBSD 5.5. Resultaten fråntesterna visar att hårdvaran och svarstiden är näst intill identisk på samtliga operativsystemmed undantag för OpenBSD där förutsättningarna för att genomföra hårdvarutesternainte kunde uppnås. FreeBSD var det operativsystem som klarade av att hantera flestantal anslutningar tillsammans med CentOS. Ubuntu visade sig vara mer begränsat ochOpenBSD var mycket begränsat. FreeBSD klarade även av högst antal anslutningar persekund, följt av Ubuntu, CentOS och slutligen OpenBSD som visade sig vara det sämstpresterande. / This report contains a study over an operating system’s impact on the load balancerHAproxy. The study was performed in an experimental environment with four virtualclients for testing, one load balancer and three web server nodes connected to the loadbalancer. The operating system was the main point in the study where the load on theload balancer’s hardware, the response time, the amount of connections and the maximumamount of connections per second were examined. The operating systems whichwere tested was Ubuntu 10.04, CentOS 6.5, FreeBSD 9.1 and OpenBSD 5.5. The resultsfrom the tests shows that the load on the hardware and the response time are almost identicalon all operating systems with the exception of OpenBSD where the conditions to beable to run the hardware tests could not be achieved. FreeBSD was the operating systemthat was able to manage the highest amount of connections along with CentOS. Ubuntuturned out to be more limited and OpenBSD was very limited. FreeBSD also managedthe highest amount of connections per second, followed by Ubuntu, CentOS and finallyOpenBSD which turned out to be the worst performer.

Keywords: Cluster

load balancing

httperf

hardware monitoring

connections

processor

internal memory

Ubuntu

CentOS

FreeBSD

OpenBSD

Nyckelord: Kluster

lastbalansering

HAproxy

httperf

hårdvaruövervakning

anslutningar

processor

internminne

Ubuntu

CentOS

FreeBSD

OpenBSD

OpenBSD Hardware Sensors — Environmental Monitoring and Fan Control

Murenin, Constantine Aleksandrovich

18 May 2010

This thesis discusses the motivation, origin, history, design guidelines, API, the device drivers and userland utilities of the hardware sensors framework available in OpenBSD. The framework spans multiple utilities in the base system and the ports tree, is utilised by over 75 drivers, and is considered to be a distinctive and ready-to-use feature that sets OpenBSD apart from many other operating systems, and in its root is inseparable from the OpenBSD experience. The present framework, however, is missing the functionality that would allow the user to interface with the fan-controlling part of the hardware monitors. We therefore discuss the topic of fan control and introduce sysctl-based interfacing with the fan-controlling capabilities of microprocessor system hardware monitors. The discussed prototype implementation reduces the noise and power-consumption characteristics in fans of personal computers, especially of those PCs that are designed from off-the-shelf components. We further argue that our prototype is easier, more intuitive and robust compared to solutions available elsewhere.

OpenBSD

BSD

DragonFly

DragonFly BSD

FreeBSD

NetBSD

sensors

hw.sensors

sysctl

fanctl

fan control

hardware sensors

SMBus

I2C

hardware monitor

microprocessor system hardware monitors

lm

lm_sensors

sysmon

envsys

ACPI

BIOS

drivers

device drivers

open source

I²C

thermal

temperature

framework

monitoring

kernel

Computer Science

OpenBSD Hardware Sensors — Environmental Monitoring and Fan Control

Murenin, Constantine Aleksandrovich

18 May 2010

This thesis discusses the motivation, origin, history, design guidelines, API, the device drivers and userland utilities of the hardware sensors framework available in OpenBSD. The framework spans multiple utilities in the base system and the ports tree, is utilised by over 75 drivers, and is considered to be a distinctive and ready-to-use feature that sets OpenBSD apart from many other operating systems, and in its root is inseparable from the OpenBSD experience. The present framework, however, is missing the functionality that would allow the user to interface with the fan-controlling part of the hardware monitors. We therefore discuss the topic of fan control and introduce sysctl-based interfacing with the fan-controlling capabilities of microprocessor system hardware monitors. The discussed prototype implementation reduces the noise and power-consumption characteristics in fans of personal computers, especially of those PCs that are designed from off-the-shelf components. We further argue that our prototype is easier, more intuitive and robust compared to solutions available elsewhere.

OpenBSD

BSD

DragonFly

DragonFly BSD

FreeBSD

NetBSD

sensors

hw.sensors

sysctl

fanctl

fan control

hardware sensors

SMBus

I2C

hardware monitor

microprocessor system hardware monitors

lm

lm_sensors

sysmon

envsys

ACPI

BIOS

drivers

device drivers

open source

I²C

thermal

temperature

framework

monitoring

kernel

Computer Science