SlideShare una empresa de Scribd logo

Evaluating Open Source Security Software

John ILIADIS
John ILIADIS

Invited lecture, Department of Information and Communication Systems Engineering, University of the Aegean, Samos, Greece, January 2003.

Tecnología
1 de 37
Descargar para leer sin conexión
Evaluating Open Source Security Software SECRETS Project (IST-2000-29289) John Iliadis R&D Unit Intrasoft International Slide 1 of 37
Summary SECRETS project aims at evaluating the use of open source security protocols, with respect to the efficiency and performance of the services they offer, by means of conducting specific experiments. Protocols: • • OpenSSL (SSL) FreeS/WAN (IPsec) Experiments drawn from: • • • • E­Commerce Mobile Communications Network Monitoring Intelligent Networks Slide 2 of 37
General Approach Adapt selected applications to operate with open source security software Experiment with the use of open source security software in the selected applications, according to an evaluation methodology Produce an evaluation report on the use of OpenSSL and FreeS/WAN Slide 3 of 37
SECRETS Evaluation Framework Evaluation of the developing organisations • • • Capability and Stability of the organisations Support services for the products Ability to feed requirements into the developing process Product evaluation • Product Capability • • Product Stability Product Maintainability • Conformity verification • Interoperability Application experiments • • • • E-Tender experiment (Intrasoft International) GPRS experiment (Motorola) Network monitoring experiment (Solinet) Intelligent network experiment (Alcatel) Slide 4 of 37
Evaluation of the developing organisations (1) Capability and Stability of the organisations • • • • • The prehistory of the organisation, which will provide an insight on its quality, The official start of the Open Source project, and the work performed since then, in order to examine how active the organisation is, Licensing scheme under which the software package is distributed, The number of members and identity of the development team that contributes to the organisation. The commercial or not applications that use the product – in conjunction with the companies/organisations that interact with the specific organisation. Slide 5 of 37
Evaluation of the developing organisations (2) Support services for the products • • • • Maintenance and continuous update of a central Web site which is the reference for all the users of the product Documentation of the source code Installation support Releasing of support packages - Patches Ability to feed requirements into the developing process Slide 6 of 37
Product Evaluation (1) Product Capability • Conformity verification the conformity of OpenSSL and FreeS/WAN to Netscape’s SSL and IETF IPSec, respectively • Interoperability the ability of OpenSSL and FreeS/Wan to successfully interoperate with other software implementations of the SSL and IPSec protocols Slide 7 of 37
Product Evaluation (2) Product Stability • a measure of how often a software changes and to what degree Product Maintainability the ability of a user of OpenSSL or FreeS/Wan to understand, maintain, use, and upgrade the software. Evaluation criteria: • Available documentation, • quality of the code, • adherence of the code development to standards adopted by the developing organisation (if any). Slide 8 of 37
Test Cases (1) Intrasoft International: E-Tender – OpenSSL • • • • Installation and Configuration Identification, Authentication, Authorisation Integrity Confidentiality Motorola: GPRS – FreeS/WAN • • • • • Installation and Configuration Functional verification CPU utilisation (10 Mbps: up to 240% in peer, up to 900% in  gateway) End­to­end delay (10 Mbps: up to 140%) Interoperability (Cisco IPsec) Slide 9 of 37
Test Cases – Evaluation Metrics (2) Alcatel: Intelligent Networks – OpenSSL • • • • • Installation and Configuration Functionality Security Performance (3.5% overhead) Time critical parts Solinet: Network Monitoring – OpenSSL • • • Installation and Configuration Conformity verification Performance (40% overhead) Slide 10 of 37
OpenSSL – FreeS/WAN Evaluation OpenSSL Evaluation • • • Evaluation of the OpenSSL organisation OpenSSL Product Evaluation Conclusions FreeS/WAN Evaluation • • • Slide 11 of 37 Evaluation of the FreeS/WAN organisation FreeS/WAN Product Evaluation Conclusions
Evaluation Scale Good Fair Poor Slide 12 of 37
Evaluation of the OpenSSL organisation (1) Capability and stability of the organisation = good • • • Number of members and software releases indicate the organisation is actively promoting the use of OpenSSL Licensing scheme allows unrestricted and free use in commercial products. A high number of open source and commercial products already use OpenSSL Slide 13 of 37
Evaluation of the OpenSSL organisation (2) Support services for the products = fair • • • User friendly navigation in OpenSSL web site Straightforward and documented OpenSSL installation procedure Structured documentation, but • Incomplete • Overlapping (documentation for old and new versions of the same functionality coexist) • Poor patch installation guidelines. Expertise required. Slide 14 of 37
Evaluation of the OpenSSL organisation (3) Ability to feed requirements into the developing process = good • User support channels: Internet mailing lists • Rapid response to posted questions, within the open source community practices. • Rapid inclusion of reported bugs in the developing process, within the open source community practices. • Replies posted in mailing lists provide accurate information Slide 15 of 37
OpenSSL software module evaluation (1) Software module capability: Conformity verification Communicating Entity (OpenSSL integrated) Slide 16 of 37 OpenSSL secure communication Communicating Entity (OpenSSL integrated)
OpenSSL software module evaluation (2) Software module capability: Conformity verification (2) A8619 has been configured with • IEEE 802.3 MAC protocol disassembly profile • IP protocol disassembly profile • TCP protocol disassembly profile • SSL/TLS protocol disassembly profile • X.509 certificate decoding profile Slide 17 of 37
OpenSSL software module evaluation (3) Software module capability: Conformity verification (3) The OpenSSL protocol negotiation has been decoded properly using the relevant A8619 protocol disassembly profiles, verifying the conformity of the OpenSSL protocol to the relevant standards Slide 18 of 37
OpenSSL software module evaluation (4) Software module capability: Interoperability • Interoperability with Microsoft Internet Explorer and Netscape Navigator • Experimenting with Apache Web Server • Apache uses OpenSSL for SSL support, through the modSSL interface module • Apache used extensively (60% of Web Servers worldwide, Netcraft survey, November 2002) • modSSL backwards compatible to other OpenSSL interface modules Slide 19 of 37
OpenSSL software module evaluation (5) Software module capability: Interoperability (2) • Interoperability problems located: • OpenSSL supports a Password Based Encryption method for private keys, that is not supported by all Web browsers (PBEMD5-DES) solution: use other OpenSSL PBE methods for encrypting private keys to be used by Web browsers • Minor encoding ASN.1 errors, resulting in malformed certificates being parsed incorrectly solution: update OpenSSL, when ASN.1 encoding errors are fixed Slide 20 of 37
OpenSSL software module evaluation (6) Software module stability OpenSSL product stability factor : 0,51 According to established software engineering practices, a product stability factor of 0,5 is considered to be adequate, for commercial software. Therefore, the open source OpenSSL software package is considered stable. Slide 21 of 37
OpenSSL software module evaluation (7) Software module maintainability (1) • • • • Few patches: patch factor 0,022 the influence of patches in maintainability is minor. ‘Makefiles’ available for automatic compilation and installation of the OpenSSL software package in a variety of operating systems. Distributions contain a text file where all changes, since the previous version, are described Online documentation available, comprising of: • Contributions by code authors, • Contributions by third parties, • Lately (Aug 2002), a book. Slide 22 of 37
OpenSSL software module evaluation (8) Software module maintainability (2) Available documentation • • • lack of consistency lack of an integrated Table of Contents, or Master Document semantic overlaps • two or more authors covering the same subject • documentation is available, covering older and newer versions of the source code • No documentation on the code structure Slide 23 of 37
Conclusions on OpenSSL OpenSSL Organisation • • • Capability and stability of the organisation = good Support services for the product = fair Feeding requirements to the developing process = good OpenSSL Product • • • • Conformity verification = good Interoperability = good Stability = good Maintainability = fair (for open source community practices) Slide 24 of 37
Evaluation of the FreeS/WAN organisation (1) Capability and stability of the organisation = fair • • The FreeS/WAN development team consists of experienced software developers and engineers. The FreeS/WAN software package is already widely used. Slide 25 of 37
Evaluation of the FreeS/WAN organisation (2) Support services for the products = poor • • • Navigation in the FreeS/WAN web site is not user friendly Documentation provided is not structured and requires advanced experience on several issues (e.g Linux, configuration files etc.) Documentation provided does not contain • configuration examples • detailed installation guidelines • patch installation guidelines Slide 26 of 37
Evaluation of the FreeS/WAN organisation (3) Ability to feed requirements into the developing process = poor • Communication channel with users and developers: Internet mailing lists • response time is not adequate, for a commercial organisation • difficult to track related postings Slide 27 of 37
FreeS/WAN software module evaluation (1) Ethernet link IPsec protocol Ethernet link IPsec protocol Traffic Generator GGSN HW platform Redhat Linux v7.2 FreeS/WAN ported Linux Test Station Redhat Linux v7.2 FreeS/WAN ported tcpdump enabled Software module capability: Functional Verification • • • Use of the tcpdump and ethereal tools Verification of the ISAKMP negotiation Verification of the FreeS/WAN encryption Slide 28 of 37
FreeS/WAN software module evaluation (2) Software module capability: Interoperability (1) • FreeS/WAN does not implement single DES and Diffie-Helman group 1 (768-bit) because they are insecure. • Solution: Avoid configuration related to single DES and Diffie-Hellman group 1 • RFCs define two modes for IKE negotiations including the main mode and the aggressive mode. FreeS/WAN does not implement aggressive mode. • Solution: If the default option of the other peers is the aggressive mode the user should configure them for main mode Slide 29 of 37
FreeS/WAN software module evaluation (3) Software module capability: Interoperability (2) • FreeS/WAN provides perfect forward secrecy (PFS) by default, which is more secure and cost effective. However, some other implementations turn PFS off by default. • Solution: Users should either disable PFS in FreeS/WAN, or enable PFS in the other peers • The IKE protocol allows several types of optional messages. FreeS/WAN ignores optional messages. Problems may arise if the other end relies on the use of optional messages. • Solution: Modifications to the source code of FreeS/WAN Slide 30 of 37
FreeS/WAN software module evaluation (4) Software module capability: Interoperability (3) • Concerning FreeS/WAN interoperability with Windows 2000 IPSec, a problem with respect to IKE was reported. • Solution : FreeS/WAN has changed (from version 1.92 and on) the handling of this. • General rule for interoperate with FreeS/WAN • • • • Slide 31 of 37 main mode for IKE negotiation triple DES encryption Diffie-Hellman Group 2 (1024-bit) or Group 5 (1536-bit) Perfect Forward Secrecy enabled
FreeS/WAN software module evaluation (5) Software module capability: Interoperability (4) • Discrepancies in IPSec terminology used in IPSec implementations • Solution: Developers should be aware of the discrepancies in terminology, and interpret the terms they meet, depending on the IPSec implementation they are using. • IPSec is a peer to peer protocol. IPSec clients cannot provide IPSec services for subnets residing behind them, only IPSec gateways can. • Solution: If there is a need to support a subnet behind an IPSec implementation, use an IPSec gateway instead of an IPSec client Slide 32 of 37
FreeS/WAN software module evaluation (6) Software module stability • • • • • Unexpected communication problems may emerge with VPN clients that use DHCP and NAT. FreeS/WAN has restricted functionality concerning shared secret authentication. The FreeS/WAN organisation counter proposes RSA for authentication purposes. However, no IPSec standard has yet been implemented for user authentication. No support for X.509 or other certificates No support for single DES encryption No support for AES encryption Slide 33 of 37
FreeS/WAN software module evaluation (7) Software module maintainability • • • • FreeS/WAN does not provide any documentation regarding the architecture of the software module. A source code walk-through is required, to understand the functionality of the FreeS/WAN software subsystems. An initial source code walk-through we performed, indicated that the source code is not well structured, and that comments are not used throughout the code, thus reducing its maintainability. Although the size of the FreeS/WAN patches is not too big, their number is quite big (more than 15) during the FreeS/WAN project period having a detrimental effect on software maintainability. Slide 34 of 37
Conclusions on FreeS/WAN FreeS/WAN Organisation • • • Capability and stability of the organisation = fair Support services for the product = poor Feeding requirements to the developing process = poor FreeS/WAN Product • • • • Functional verification = good Interoperability = fair Stability = fair Maintainability = fair Slide 35 of 37
…for more info For more info, visit http://laplace.intrasoft-intl.com/secrets/ Slide 36 of 37
Q&A Slide 37 of 37

Recomendados

intro to DevOps
intro to DevOpsintro to DevOps
intro to DevOps
Mujahed Al-Tahle
 
Presentation
PresentationPresentation
Presentation
Ptidej Team
 
Security Implications for a DevOps Transformation
Security Implications for a DevOps TransformationSecurity Implications for a DevOps Transformation
Security Implications for a DevOps Transformation
Deborah Schalm
 
Continuous Delivery for people who do not write code - Matthew Skelton - Conflux
Continuous Delivery for people who do not write code - Matthew Skelton - ConfluxContinuous Delivery for people who do not write code - Matthew Skelton - Conflux
Continuous Delivery for people who do not write code - Matthew Skelton - Conflux
Matthew Skelton
 
Building DevOps in the enterprise: Transforming challenges into organizationa...
Building DevOps in the enterprise: Transforming challenges into organizationa...Building DevOps in the enterprise: Transforming challenges into organizationa...
Building DevOps in the enterprise: Transforming challenges into organizationa...
Jonah Kowall
 
Integrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps EnvironmentIntegrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps Environment
Black Duck by Synopsys
 
Srikanth_testing resume
Srikanth_testing resumeSrikanth_testing resume
Srikanth_testing resume
srikanth Burra
 
Everything you need to know about your open source support contract
Everything you need to know about your open source support contractEverything you need to know about your open source support contract
Everything you need to know about your open source support contract
Rogue Wave Software
 

Recomendados

intro to DevOps
intro to DevOpsintro to DevOps
intro to DevOps
Mujahed Al-Tahle
 
Presentation
PresentationPresentation
Presentation
Ptidej Team
 
Security Implications for a DevOps Transformation
Security Implications for a DevOps TransformationSecurity Implications for a DevOps Transformation
Security Implications for a DevOps Transformation
Deborah Schalm
 
Continuous Delivery for people who do not write code - Matthew Skelton - Conflux
Continuous Delivery for people who do not write code - Matthew Skelton - ConfluxContinuous Delivery for people who do not write code - Matthew Skelton - Conflux
Continuous Delivery for people who do not write code - Matthew Skelton - Conflux
Matthew Skelton
 
Building DevOps in the enterprise: Transforming challenges into organizationa...
Building DevOps in the enterprise: Transforming challenges into organizationa...Building DevOps in the enterprise: Transforming challenges into organizationa...
Building DevOps in the enterprise: Transforming challenges into organizationa...
Jonah Kowall
 
Integrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps EnvironmentIntegrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps Environment
Black Duck by Synopsys
 
Srikanth_testing resume
Srikanth_testing resumeSrikanth_testing resume
Srikanth_testing resume
srikanth Burra
 
Everything you need to know about your open source support contract
Everything you need to know about your open source support contractEverything you need to know about your open source support contract
Everything you need to know about your open source support contract
Rogue Wave Software
 
DevOps Service | Mindtree
DevOps Service | MindtreeDevOps Service | Mindtree
DevOps Service | Mindtree
AnikeyRoy
 
Increasing Quality with DevOps
Increasing Quality with DevOpsIncreasing Quality with DevOps
Increasing Quality with DevOps
Coveros, Inc.
 
We've Got Docker & Cloud, Now What?
We've Got Docker & Cloud, Now What? We've Got Docker & Cloud, Now What?
We've Got Docker & Cloud, Now What?
XebiaLabs
 
Strategies for agile software test automation
Strategies for agile software test automationStrategies for agile software test automation
Strategies for agile software test automation
Eliane Collins
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability Management
Tim Mackey
 
The Cloudification Perspectives of Search-based Software Testing
The Cloudification Perspectives of Search-based Software TestingThe Cloudification Perspectives of Search-based Software Testing
The Cloudification Perspectives of Search-based Software Testing
Sebastiano Panichella
 
Cal19.ppt
Cal19.pptCal19.ppt
Cal19.ppt
Yann-Gaël Guéhéneuc
 
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperTesting in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Gene Gotimer
 
September 13, 2016: Security in the Age of Open Source:
September 13, 2016: Security in the Age of Open Source: September 13, 2016: Security in the Age of Open Source:
September 13, 2016: Security in the Age of Open Source:
Black Duck by Synopsys
 
Top devops solution providers
Top devops solution providersTop devops solution providers
Top devops solution providers
ayush gupta
 
Making the Transition from Suite to the Hub
Making the Transition from Suite to the HubMaking the Transition from Suite to the Hub
Making the Transition from Suite to the Hub
Black Duck by Synopsys
 
Flight East 2018 Presentation–Black Duck at Docusign
Flight East 2018 Presentation–Black Duck at DocusignFlight East 2018 Presentation–Black Duck at Docusign
Flight East 2018 Presentation–Black Duck at Docusign
Synopsys Software Integrity Group
 
Integrating security into Continuous Delivery
Integrating security into Continuous DeliveryIntegrating security into Continuous Delivery
Integrating security into Continuous Delivery
Tom Stiehm
 
Internship Report
Internship ReportInternship Report
Internship Report
Ritoban Gupta
 
Dev ops and safety critical systems
Dev ops and safety critical systemsDev ops and safety critical systems
Dev ops and safety critical systems
Len Bass
 
No Devops Without Continuous Testing
No Devops Without Continuous TestingNo Devops Without Continuous Testing
No Devops Without Continuous Testing
Parasoft
 
Fasten Industry Meeting with GitHub about Dependancy Management
Fasten Industry Meeting with GitHub about Dependancy ManagementFasten Industry Meeting with GitHub about Dependancy Management
Fasten Industry Meeting with GitHub about Dependancy Management
Fasten Project
 
Customer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to ComplianceCustomer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to Compliance
Black Duck by Synopsys
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Deborah Schalm
 
Devops phase-1
Devops phase-1Devops phase-1
Devops phase-1
G R VISHAL
 
Overcoming software development challenges by using an integrated software fr...
Overcoming software development challenges by using an integrated software fr...Overcoming software development challenges by using an integrated software fr...
Overcoming software development challenges by using an integrated software fr...
Design World
 

Más contenido relacionado

La actualidad más candente

The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability Management
Tim Mackey
 
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperTesting in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Gene Gotimer
 

La actualidad más candente (20)

DevOps Service | Mindtree
DevOps Service | MindtreeDevOps Service | Mindtree
DevOps Service | Mindtree
 
Increasing Quality with DevOps
Increasing Quality with DevOpsIncreasing Quality with DevOps
Increasing Quality with DevOps
 
We've Got Docker & Cloud, Now What?
We've Got Docker & Cloud, Now What? We've Got Docker & Cloud, Now What?
We've Got Docker & Cloud, Now What?
 
Strategies for agile software test automation
Strategies for agile software test automationStrategies for agile software test automation
Strategies for agile software test automation
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability Management
 
The Cloudification Perspectives of Search-based Software Testing
The Cloudification Perspectives of Search-based Software TestingThe Cloudification Perspectives of Search-based Software Testing
The Cloudification Perspectives of Search-based Software Testing
 
Cal19.ppt
Cal19.pptCal19.ppt
Cal19.ppt
 
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperTesting in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
 
September 13, 2016: Security in the Age of Open Source:
September 13, 2016: Security in the Age of Open Source: September 13, 2016: Security in the Age of Open Source:
September 13, 2016: Security in the Age of Open Source:
 
Top devops solution providers
Top devops solution providersTop devops solution providers
Top devops solution providers
 
Making the Transition from Suite to the Hub
Making the Transition from Suite to the HubMaking the Transition from Suite to the Hub
Making the Transition from Suite to the Hub
 
Flight East 2018 Presentation–Black Duck at Docusign
Flight East 2018 Presentation–Black Duck at DocusignFlight East 2018 Presentation–Black Duck at Docusign
Flight East 2018 Presentation–Black Duck at Docusign
 
Integrating security into Continuous Delivery
Integrating security into Continuous DeliveryIntegrating security into Continuous Delivery
Integrating security into Continuous Delivery
 
Internship Report
Internship ReportInternship Report
Internship Report
 
Dev ops and safety critical systems
Dev ops and safety critical systemsDev ops and safety critical systems
Dev ops and safety critical systems
 
No Devops Without Continuous Testing
No Devops Without Continuous TestingNo Devops Without Continuous Testing
No Devops Without Continuous Testing
 
Fasten Industry Meeting with GitHub about Dependancy Management
Fasten Industry Meeting with GitHub about Dependancy ManagementFasten Industry Meeting with GitHub about Dependancy Management
Fasten Industry Meeting with GitHub about Dependancy Management
 
Customer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to ComplianceCustomer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to Compliance
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
 

Similar a Evaluating Open Source Security Software

Overcoming software development challenges by using an integrated software fr...
Overcoming software development challenges by using an integrated software fr...Overcoming software development challenges by using an integrated software fr...
Overcoming software development challenges by using an integrated software fr...
Design World
 
Bridging the Gap: from Data Science to Production
Bridging the Gap: from Data Science to ProductionBridging the Gap: from Data Science to Production
Bridging the Gap: from Data Science to Production
Florian Wilhelm
 
Intro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and LinkerdIntro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and Linkerd
Weaveworks
 
Open Source evaluation: A comprehensive guide on what you are using
Open Source evaluation: A comprehensive guide on what you are usingOpen Source evaluation: A comprehensive guide on what you are using
Open Source evaluation: A comprehensive guide on what you are using
All Things Open
 

Similar a Evaluating Open Source Security Software (20)

Devops phase-1
Devops phase-1Devops phase-1
Devops phase-1
 
Overcoming software development challenges by using an integrated software fr...
Overcoming software development challenges by using an integrated software fr...Overcoming software development challenges by using an integrated software fr...
Overcoming software development challenges by using an integrated software fr...
 
OWASP Dependency-Track Introduction
OWASP Dependency-Track IntroductionOWASP Dependency-Track Introduction
OWASP Dependency-Track Introduction
 
Bridging the Gap: from Data Science to Production
Bridging the Gap: from Data Science to ProductionBridging the Gap: from Data Science to Production
Bridging the Gap: from Data Science to Production
 
Software Analytics - Achievements and Challenges
Software Analytics - Achievements and ChallengesSoftware Analytics - Achievements and Challenges
Software Analytics - Achievements and Challenges
 
Journey to the center of DevOps - v6
Journey to the center of DevOps - v6Journey to the center of DevOps - v6
Journey to the center of DevOps - v6
 
How Azure DevOps can boost your organization's productivity
How Azure DevOps can boost your organization's productivityHow Azure DevOps can boost your organization's productivity
How Azure DevOps can boost your organization's productivity
 
Utilisation de la plateforme virtuelle QEMU/SystemC pour l'IoT
Utilisation de la plateforme virtuelle QEMU/SystemC pour l'IoTUtilisation de la plateforme virtuelle QEMU/SystemC pour l'IoT
Utilisation de la plateforme virtuelle QEMU/SystemC pour l'IoT
 
Intro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and LinkerdIntro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and Linkerd
 
How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks
 
DevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss BankingDevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss Banking
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
Best Practices for Enterprise Continuous Delivery of Oracle Fusion Middlewa...
Best Practices for Enterprise Continuous Delivery of Oracle Fusion Middlewa...Best Practices for Enterprise Continuous Delivery of Oracle Fusion Middlewa...
Best Practices for Enterprise Continuous Delivery of Oracle Fusion Middlewa...
 
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
 
Find Out What's New With WhiteSource May 2018- A WhiteSource Webinar
Find Out What's New With WhiteSource May 2018- A WhiteSource WebinarFind Out What's New With WhiteSource May 2018- A WhiteSource Webinar
Find Out What's New With WhiteSource May 2018- A WhiteSource Webinar
 
Open Source evaluation: A comprehensive guide on what you are using
Open Source evaluation: A comprehensive guide on what you are usingOpen Source evaluation: A comprehensive guide on what you are using
Open Source evaluation: A comprehensive guide on what you are using
 
kishore
kishorekishore
kishore
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
 
Cypress Automation Training Course | Cypress Tool Online Training
Cypress Automation Training Course | Cypress Tool Online TrainingCypress Automation Training Course | Cypress Tool Online Training
Cypress Automation Training Course | Cypress Tool Online Training
 
Leveraging Analytics for DevOps
Leveraging Analytics for DevOpsLeveraging Analytics for DevOps
Leveraging Analytics for DevOps
 

Más de John ILIADIS

Addressing security issues in programming languages for mobile code - Confere...
Addressing security issues in programming languages for mobile code - Confere...Addressing security issues in programming languages for mobile code - Confere...
Addressing security issues in programming languages for mobile code - Confere...
John ILIADIS
 

Más de John ILIADIS (13)

Information security and digital payments; thoughts about current trends
Information security and digital payments; thoughts about current trendsInformation security and digital payments; thoughts about current trends
Information security and digital payments; thoughts about current trends
 
Security in RegTech's Playground
Security in RegTech's PlaygroundSecurity in RegTech's Playground
Security in RegTech's Playground
 
Malicious Software. In Greek.
Malicious Software. In Greek.Malicious Software. In Greek.
Malicious Software. In Greek.
 
PKI : The role of TTPs for the Development of secure Transaction Systems
PKI : The role of TTPs for the Development of secure Transaction SystemsPKI : The role of TTPs for the Development of secure Transaction Systems
PKI : The role of TTPs for the Development of secure Transaction Systems
 
Reshaping Key Management: A Tale of Two Decades
Reshaping Key Management: A Tale of Two DecadesReshaping Key Management: A Tale of Two Decades
Reshaping Key Management: A Tale of Two Decades
 
PKI: Is it worth something, or what?
PKI: Is it worth something, or what?PKI: Is it worth something, or what?
PKI: Is it worth something, or what?
 
Certificate Revocation: What Is It And What Should It Be
Certificate Revocation: What Is It And What Should It BeCertificate Revocation: What Is It And What Should It Be
Certificate Revocation: What Is It And What Should It Be
 
ADoCSI: Towards a Transparent Mechanism for Disseminating Certificate Status ...
ADoCSI: Towards a Transparent Mechanism for Disseminating Certificate Status ...ADoCSI: Towards a Transparent Mechanism for Disseminating Certificate Status ...
ADoCSI: Towards a Transparent Mechanism for Disseminating Certificate Status ...
 
E-Commerce Security: A Primer
E-Commerce Security: A PrimerE-Commerce Security: A Primer
E-Commerce Security: A Primer
 
PKI: Overpromising and Underdelivering
PKI: Overpromising and UnderdeliveringPKI: Overpromising and Underdelivering
PKI: Overpromising and Underdelivering
 
What is (not) Network Security
What is (not) Network SecurityWhat is (not) Network Security
What is (not) Network Security
 
Network Security: Putting Theory into Practice, the Wrong Way
Network Security: Putting Theory into Practice, the Wrong WayNetwork Security: Putting Theory into Practice, the Wrong Way
Network Security: Putting Theory into Practice, the Wrong Way
 
Addressing security issues in programming languages for mobile code - Confere...
Addressing security issues in programming languages for mobile code - Confere...Addressing security issues in programming languages for mobile code - Confere...
Addressing security issues in programming languages for mobile code - Confere...
 

Último

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Último (20)

Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 

Evaluating Open Source Security Software

  • 1. Evaluating Open Source Security Software SECRETS Project (IST-2000-29289) John Iliadis R&D Unit Intrasoft International Slide 1 of 37
  • 2. Summary SECRETS project aims at evaluating the use of open source security protocols, with respect to the efficiency and performance of the services they offer, by means of conducting specific experiments. Protocols: • • OpenSSL (SSL) FreeS/WAN (IPsec) Experiments drawn from: • • • • E­Commerce Mobile Communications Network Monitoring Intelligent Networks Slide 2 of 37
  • 3. General Approach Adapt selected applications to operate with open source security software Experiment with the use of open source security software in the selected applications, according to an evaluation methodology Produce an evaluation report on the use of OpenSSL and FreeS/WAN Slide 3 of 37
  • 4. SECRETS Evaluation Framework Evaluation of the developing organisations • • • Capability and Stability of the organisations Support services for the products Ability to feed requirements into the developing process Product evaluation • Product Capability • • Product Stability Product Maintainability • Conformity verification • Interoperability Application experiments • • • • E-Tender experiment (Intrasoft International) GPRS experiment (Motorola) Network monitoring experiment (Solinet) Intelligent network experiment (Alcatel) Slide 4 of 37
  • 5. Evaluation of the developing organisations (1) Capability and Stability of the organisations • • • • • The prehistory of the organisation, which will provide an insight on its quality, The official start of the Open Source project, and the work performed since then, in order to examine how active the organisation is, Licensing scheme under which the software package is distributed, The number of members and identity of the development team that contributes to the organisation. The commercial or not applications that use the product – in conjunction with the companies/organisations that interact with the specific organisation. Slide 5 of 37
  • 6. Evaluation of the developing organisations (2) Support services for the products • • • • Maintenance and continuous update of a central Web site which is the reference for all the users of the product Documentation of the source code Installation support Releasing of support packages - Patches Ability to feed requirements into the developing process Slide 6 of 37
  • 7. Product Evaluation (1) Product Capability • Conformity verification the conformity of OpenSSL and FreeS/WAN to Netscape’s SSL and IETF IPSec, respectively • Interoperability the ability of OpenSSL and FreeS/Wan to successfully interoperate with other software implementations of the SSL and IPSec protocols Slide 7 of 37
  • 8. Product Evaluation (2) Product Stability • a measure of how often a software changes and to what degree Product Maintainability the ability of a user of OpenSSL or FreeS/Wan to understand, maintain, use, and upgrade the software. Evaluation criteria: • Available documentation, • quality of the code, • adherence of the code development to standards adopted by the developing organisation (if any). Slide 8 of 37
  • 9. Test Cases (1) Intrasoft International: E-Tender – OpenSSL • • • • Installation and Configuration Identification, Authentication, Authorisation Integrity Confidentiality Motorola: GPRS – FreeS/WAN • • • • • Installation and Configuration Functional verification CPU utilisation (10 Mbps: up to 240% in peer, up to 900% in  gateway) End­to­end delay (10 Mbps: up to 140%) Interoperability (Cisco IPsec) Slide 9 of 37
  • 10. Test Cases – Evaluation Metrics (2) Alcatel: Intelligent Networks – OpenSSL • • • • • Installation and Configuration Functionality Security Performance (3.5% overhead) Time critical parts Solinet: Network Monitoring – OpenSSL • • • Installation and Configuration Conformity verification Performance (40% overhead) Slide 10 of 37
  • 11. OpenSSL – FreeS/WAN Evaluation OpenSSL Evaluation • • • Evaluation of the OpenSSL organisation OpenSSL Product Evaluation Conclusions FreeS/WAN Evaluation • • • Slide 11 of 37 Evaluation of the FreeS/WAN organisation FreeS/WAN Product Evaluation Conclusions
  • 13. Evaluation of the OpenSSL organisation (1) Capability and stability of the organisation = good • • • Number of members and software releases indicate the organisation is actively promoting the use of OpenSSL Licensing scheme allows unrestricted and free use in commercial products. A high number of open source and commercial products already use OpenSSL Slide 13 of 37
  • 14. Evaluation of the OpenSSL organisation (2) Support services for the products = fair • • • User friendly navigation in OpenSSL web site Straightforward and documented OpenSSL installation procedure Structured documentation, but • Incomplete • Overlapping (documentation for old and new versions of the same functionality coexist) • Poor patch installation guidelines. Expertise required. Slide 14 of 37
  • 15. Evaluation of the OpenSSL organisation (3) Ability to feed requirements into the developing process = good • User support channels: Internet mailing lists • Rapid response to posted questions, within the open source community practices. • Rapid inclusion of reported bugs in the developing process, within the open source community practices. • Replies posted in mailing lists provide accurate information Slide 15 of 37
  • 16. OpenSSL software module evaluation (1) Software module capability: Conformity verification Communicating Entity (OpenSSL integrated) Slide 16 of 37 OpenSSL secure communication Communicating Entity (OpenSSL integrated)
  • 17. OpenSSL software module evaluation (2) Software module capability: Conformity verification (2) A8619 has been configured with • IEEE 802.3 MAC protocol disassembly profile • IP protocol disassembly profile • TCP protocol disassembly profile • SSL/TLS protocol disassembly profile • X.509 certificate decoding profile Slide 17 of 37
  • 18. OpenSSL software module evaluation (3) Software module capability: Conformity verification (3) The OpenSSL protocol negotiation has been decoded properly using the relevant A8619 protocol disassembly profiles, verifying the conformity of the OpenSSL protocol to the relevant standards Slide 18 of 37
  • 19. OpenSSL software module evaluation (4) Software module capability: Interoperability • Interoperability with Microsoft Internet Explorer and Netscape Navigator • Experimenting with Apache Web Server • Apache uses OpenSSL for SSL support, through the modSSL interface module • Apache used extensively (60% of Web Servers worldwide, Netcraft survey, November 2002) • modSSL backwards compatible to other OpenSSL interface modules Slide 19 of 37
  • 20. OpenSSL software module evaluation (5) Software module capability: Interoperability (2) • Interoperability problems located: • OpenSSL supports a Password Based Encryption method for private keys, that is not supported by all Web browsers (PBEMD5-DES) solution: use other OpenSSL PBE methods for encrypting private keys to be used by Web browsers • Minor encoding ASN.1 errors, resulting in malformed certificates being parsed incorrectly solution: update OpenSSL, when ASN.1 encoding errors are fixed Slide 20 of 37
  • 21. OpenSSL software module evaluation (6) Software module stability OpenSSL product stability factor : 0,51 According to established software engineering practices, a product stability factor of 0,5 is considered to be adequate, for commercial software. Therefore, the open source OpenSSL software package is considered stable. Slide 21 of 37
  • 22. OpenSSL software module evaluation (7) Software module maintainability (1) • • • • Few patches: patch factor 0,022 the influence of patches in maintainability is minor. ‘Makefiles’ available for automatic compilation and installation of the OpenSSL software package in a variety of operating systems. Distributions contain a text file where all changes, since the previous version, are described Online documentation available, comprising of: • Contributions by code authors, • Contributions by third parties, • Lately (Aug 2002), a book. Slide 22 of 37
  • 23. OpenSSL software module evaluation (8) Software module maintainability (2) Available documentation • • • lack of consistency lack of an integrated Table of Contents, or Master Document semantic overlaps • two or more authors covering the same subject • documentation is available, covering older and newer versions of the source code • No documentation on the code structure Slide 23 of 37
  • 24. Conclusions on OpenSSL OpenSSL Organisation • • • Capability and stability of the organisation = good Support services for the product = fair Feeding requirements to the developing process = good OpenSSL Product • • • • Conformity verification = good Interoperability = good Stability = good Maintainability = fair (for open source community practices) Slide 24 of 37
  • 25. Evaluation of the FreeS/WAN organisation (1) Capability and stability of the organisation = fair • • The FreeS/WAN development team consists of experienced software developers and engineers. The FreeS/WAN software package is already widely used. Slide 25 of 37
  • 26. Evaluation of the FreeS/WAN organisation (2) Support services for the products = poor • • • Navigation in the FreeS/WAN web site is not user friendly Documentation provided is not structured and requires advanced experience on several issues (e.g Linux, configuration files etc.) Documentation provided does not contain • configuration examples • detailed installation guidelines • patch installation guidelines Slide 26 of 37
  • 27. Evaluation of the FreeS/WAN organisation (3) Ability to feed requirements into the developing process = poor • Communication channel with users and developers: Internet mailing lists • response time is not adequate, for a commercial organisation • difficult to track related postings Slide 27 of 37
  • 28. FreeS/WAN software module evaluation (1) Ethernet link IPsec protocol Ethernet link IPsec protocol Traffic Generator GGSN HW platform Redhat Linux v7.2 FreeS/WAN ported Linux Test Station Redhat Linux v7.2 FreeS/WAN ported tcpdump enabled Software module capability: Functional Verification • • • Use of the tcpdump and ethereal tools Verification of the ISAKMP negotiation Verification of the FreeS/WAN encryption Slide 28 of 37
  • 29. FreeS/WAN software module evaluation (2) Software module capability: Interoperability (1) • FreeS/WAN does not implement single DES and Diffie-Helman group 1 (768-bit) because they are insecure. • Solution: Avoid configuration related to single DES and Diffie-Hellman group 1 • RFCs define two modes for IKE negotiations including the main mode and the aggressive mode. FreeS/WAN does not implement aggressive mode. • Solution: If the default option of the other peers is the aggressive mode the user should configure them for main mode Slide 29 of 37
  • 30. FreeS/WAN software module evaluation (3) Software module capability: Interoperability (2) • FreeS/WAN provides perfect forward secrecy (PFS) by default, which is more secure and cost effective. However, some other implementations turn PFS off by default. • Solution: Users should either disable PFS in FreeS/WAN, or enable PFS in the other peers • The IKE protocol allows several types of optional messages. FreeS/WAN ignores optional messages. Problems may arise if the other end relies on the use of optional messages. • Solution: Modifications to the source code of FreeS/WAN Slide 30 of 37
  • 31. FreeS/WAN software module evaluation (4) Software module capability: Interoperability (3) • Concerning FreeS/WAN interoperability with Windows 2000 IPSec, a problem with respect to IKE was reported. • Solution : FreeS/WAN has changed (from version 1.92 and on) the handling of this. • General rule for interoperate with FreeS/WAN • • • • Slide 31 of 37 main mode for IKE negotiation triple DES encryption Diffie-Hellman Group 2 (1024-bit) or Group 5 (1536-bit) Perfect Forward Secrecy enabled
  • 32. FreeS/WAN software module evaluation (5) Software module capability: Interoperability (4) • Discrepancies in IPSec terminology used in IPSec implementations • Solution: Developers should be aware of the discrepancies in terminology, and interpret the terms they meet, depending on the IPSec implementation they are using. • IPSec is a peer to peer protocol. IPSec clients cannot provide IPSec services for subnets residing behind them, only IPSec gateways can. • Solution: If there is a need to support a subnet behind an IPSec implementation, use an IPSec gateway instead of an IPSec client Slide 32 of 37
  • 33. FreeS/WAN software module evaluation (6) Software module stability • • • • • Unexpected communication problems may emerge with VPN clients that use DHCP and NAT. FreeS/WAN has restricted functionality concerning shared secret authentication. The FreeS/WAN organisation counter proposes RSA for authentication purposes. However, no IPSec standard has yet been implemented for user authentication. No support for X.509 or other certificates No support for single DES encryption No support for AES encryption Slide 33 of 37
  • 34. FreeS/WAN software module evaluation (7) Software module maintainability • • • • FreeS/WAN does not provide any documentation regarding the architecture of the software module. A source code walk-through is required, to understand the functionality of the FreeS/WAN software subsystems. An initial source code walk-through we performed, indicated that the source code is not well structured, and that comments are not used throughout the code, thus reducing its maintainability. Although the size of the FreeS/WAN patches is not too big, their number is quite big (more than 15) during the FreeS/WAN project period having a detrimental effect on software maintainability. Slide 34 of 37
  • 35. Conclusions on FreeS/WAN FreeS/WAN Organisation • • • Capability and stability of the organisation = fair Support services for the product = poor Feeding requirements to the developing process = poor FreeS/WAN Product • • • • Functional verification = good Interoperability = fair Stability = fair Maintainability = fair Slide 35 of 37
  • 36. …for more info For more info, visit http://laplace.intrasoft-intl.com/secrets/ Slide 36 of 37