Linux Live Distros – Possible ‘Clean’ VPN Client

January 27, 2009

I have long considered customized Linux live distributions as  candidates for trusted-enough remote VPN client end-points.  The fact that we could possibly make a standardized, read-only operating system, and then use evidence of its presence as one layer of our risk management infrastructure, remains attractive.  In any enterprise having a relatively large and diverse, non-technical end-user base, the available distributions have not been a good match.  They did not deal simply and transparently with the diversity of hardware and end-user skill-sets that characterize the enterprise remote end-point environment.  So why think about trust and remote VPN client end-points?

It is is possible that our efforts to rationalize permitting large numbers of Internet-connected Windows clients remote access to sensitive corporate information assets will not be sustainable.  Criminal enterprise has been more and more effective ways to earn profit via information theft.  Sometimes by selling services to others who want specific information, but the range of “business” models is beginning to parallel that of their targets.  Many models depend on social engineering.  Some on malicious software.  Many more on a combination.  In any case, end users and vulnerable software are the primary targets.

In the financial services industry, most remote clients run one or another Windows operating system.  The expense and effort required to purchase, deploy, and then manage new protective technologies…  The complexity of, and resistance to enforcing any sort of configuration requirements on contractors, out-sourcers, and business partners…  The difficulty of reliably patching large numbers of intermittently-attached, non-corporate assets running Windows seems to present extreme challenges.  One of the Network Access Control models may help, but their expense and the investments required to prepare and maintain compliant infrastructure seems to keep them off most short lists of “next steps.”

Two new live Linux distributions were released recently: Ubuntu 8.10 (Intrepid Ibex) and Knoppix 6.0.0 (Adriane 1.1).

Both these CD suggest to me that there may be near-term hope for using stripped-down or hardened re-spins of main-line live Linux distributions as a key technology foundation for more trusted populations of remote, Internet-connected VPN end-points.  Both distributions worked well and without fuss on my consumer-class Toshiba laptop and an 802.11 ABG wireless network.  Ubuntu, a monster that “owns” and increasing share of the Linux desktop functioned flawlessly and its wireless network setup was quick and easy, but it consumed significant memory before performing any useful work (approaching 1GB of RAM).  Knoppix, always a live distribution, also functioned flawlessly and its wireless network setup was easy and intuitive, and it required almost one third of the memory compared to Ubuntu.  I’ll summarize this comparison below:

Laptop Hardware =
Wireless Network: Intel Wireless WiFi Link 3945ABG
CPU: Core Intel(R) Core(TM)2 CPU T5200 @ 1.60GHz stepping 06
L1 cache: 64K, and L2 cache: 2048K
RAM: 2 GB RAM

Both distributions use a modern Gnome desktop windowing environment.

Ubuntu 8.10:

Boot time = 3:30 to a usable desktop
Memory (one Firefox browser with 1 tab open + one terminal)
ubuntu@ubuntu:~$ top -n 2
top - 02:25:53 up 1:04, 8 users, load average: 0.00, 0.02, 0.00
Tasks: 131 total, 1 running, 130 sleeping, 0 stopped, 0 zombie
Cpu(s): 0.5%us, 0.2%sy, 0.0%ni, 99.3%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
Mem: 2063268k total, 968084k used, 1095184k free,90164k buffers
Swap: 0k total, 0k used, 0k free, 507016k cached
Boot command line options =
ubuntu@ubuntu:$ cat /proc/cmdline
BOOT_IMAGE=/casper/vmlinuz file=/cdrom/preseed/ubuntu.seed boot=casper initrd=/casper/initrd.gz quiet splash --
Linux version =
ubuntu@ubuntu:$cat /proc/version
Linux version 2.6.27-7-generic (buildd@rothera) (gcc version 4.3.2 (Ubuntu 4.3.2-1ubuntu10) ) #1 SMP Fri Oct 24 06:42:44 UTC 2008
ubuntu@ubuntu:$ cat /proc/version_signature
Ubuntu 2.6.27-7.14-generic
Modules =
ubuntu@ubuntu:$ cat /proc/modules | wc -l
111
Network setup =
System-->Preferences-->Network Configuration, then the Wireless tab, and "add" a new interface, and complete the simple configuration options.  It worked the first time, attaching to my Linksys device via 802.11 WiFi at 54Mb/s using WPA2 Personal security, and fetching an IP address at connection time.
Browser = Firefox version 3.0.3

Knoppix 6.0.0:

Boot time = 1:33 to a usable desktop
Memory (one Iceweasel browser with 1 tab open + one terminal)
knoppix@Microknoppix:~$ top -n 2
top - 12:37:04 up 1:24, 0 users, load average: 0.09, 0.12, 0.22
Tasks: 92 total, 1 running, 91 sleeping, 0 stopped, 0 zombie
Cpu(s): 2.1%us, 0.3%sy, 0.0%ni, 97.6%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
Mem: 2064732k total, 387560k used, 1677172k free, 4972k buffers
Swap: 0k total, 0k used, 0k free, 166504k cached
Boot options =
knoppix@Microknoppix:~$ cat /proc/cmdline
ramdisk_size=100000 lang=en vt.default_utf8=0 apm=power-off vga=791 initrd=minirt.gz nomce elevator=anticipatory quiet loglevel=0 pci=routeirq BOOT_IMAGE=linux lang=us
knoppix@Microknoppix:~$
Linux version =
knoppix@Microknoppix:~$ cat /proc/version
Linux version 2.6.28 (knopper@Koffer) (gcc version 4.3.2 (Debian 4.3.2-1) ) #4 SMP PREEMPT Sat Jan 3 09:16:41 CET 2009
knoppix@Microknoppix:~$ cat /proc/version_signature
cat: /proc/version_signature: No such file or directory
knoppix@Microknoppix:~$
Modules =
knoppix@Microknoppix:~$ cat /proc/modules | wc -l
27
knoppix@Microknoppix:~$

Network setup:
Menu–>System Tools–>Wavelan Configuration–>then click on each of the configuration components and enter the values required by your network–>SSID (the utility lists the SSIDs that it has been able to identify), Encryption (WPA/WPA2/WEP/etc), and DHCP/Static IP address. If you have configured the variables in that order, the network setup attempts to acquire an IP address, and if successful, the NetworkManager Applet (ver. 0.7.0) will changed from a “disconnected” status to displaying 4 bars to show the signal strength of your network connection.
Browser:
Iceweasel (ver. 3.0.5)

Both these distributions have significant positive characteristics in the context of a building a trusted remote, Internet-connected VPN client end-point.  Knoppix was faster and consumed less resource.  Ubuntu has a large following and broad base of end-user-friendly documentation.

I am curious about your consideration of, or experience with this technology, in the context of a customized re-spin, as a remote-access end-point.

UPDATE February 22, 2009: Add Debian GNU/Linux 5.0 (Lenny) to the viable-candidates list.  It is a modern, polished desktop.  It boots in about the same time as Ubuntu 8.10.  I tested with the Live i386 KDE version.  There are others compiled for AMD64, as well as the same that boot into Gnome.  Network setup was as simple as the two distributions I used above.  All three of these ought to be taken as serious considerations for remote access platforms in these economically-challenging times.

Debian GNU/Linux 5.0 i386 Live KDE (Lenny):

Boot time = 3:22 to a usable desktop
Memory (one Firefox browser with 1 tab open + one terminal)

user@debian:~$ top -n 2
top - 20:09:56 up 5 min, 7 users, load average: 0.98, 1.68, 0.83
Tasks: 108 total, 2 running, 106 sleeping, 0 stopped, 0 zombie
Cpu(s): 1.0%us, 0.0%sy, 0.0%ni, 99.0%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
Mem: 2066792k total, 550920k used, 1515872k free, 68284k buffers
Swap: 0k total, 0k used, 0k free, 266816k cached

— References —

Live Distributions: http://www.livecdlist.com/

Ubuntu 8.10: http://releases.ubuntu.com/8.10/

Knoppix 6.0.0: http://knopper.net/knoppix/knoppix60-en.html

Debian GNU/Linux 5.0: http://www.debian.org


New Attack Surfaces to Defend

January 9, 2009

Dell, Lenovo, Asus, LG, and Hewlett Packard have all recently been shipping PCs that include a traditional Microsoft Windows operating system (OS) and a second OS.  Many models use DeviceVM’s “SplashTop.”

This move is an attempt to provide users with an option to boot more rapidly into an environment that includes only a subset of the applications and features of their primary OS.  Boot time for this “smaller” OS is supposed to be 30 seconds or less.

At the same time, embedded developer Lineo is challenging this field by demonstrating a “quick-start” Linux OS, called “Warp,” capable of booting in under 3 seconds on a 400MHz ARM11 CPU.  This feat includes running Xorg, twm, xlogo, plus three xterms.

This may aid worker productivity.  Its value will only increase as worker mobility increases and as more and more business is performed and delivered via web applications.  If most of their work can be performed via a browser, these fast-boot OSs may become worker’s platform of choice.

Security professionals, prepare for dealing with this new attack surface now.  This will require resources, budget, and time.  Don’t wait until your Purchasing department or a senior officer buys a few dozen or a few tens of thousands of these new PCs at your company.

All these alternative, quick-boot OSs run software, accept and emit inputs, and store some amount of data.  As a result, they will fall prey of all manner of attack.  It will take some effort to learn how to harden, manage, patch, monitor, and report on the status of these new OSs.

— References —

SplashTop on a number of PC vendor’s new platforms:
http://blogs.computerworld.com/everyones_free_linux_devicevms_splashtop
and
http://www.splashtop.com/blog/

Lineo press release for Warp: http://www.lineo.co.jp/eng/news-events/press-release/20081105.html


%d bloggers like this: