OpenSource vs Proprietary Virtual Private Network VPN Solutions

Open-Source vs Proprietary Virtual Private Network (VPN) Solutions Keith S. Morgan & Paul S. Graham Los Alamos National Laboratory Institute of Nuclear Materials Management Just Trust Me Workshop March 12 -13, 2019 Albuquerque, New Mexico UNCLASSIFIED Managed by Triad National Security, LLC for the U. S. Department of Energy’s NNSA LA-UR-19 -21959

Outline § Open Source vs Proprietary – – Software Licensing Continuum Source Models Business Models Development Models § Just Trust Open Source § Just Trust Proprietary § Case Study: VPN – Juniper Screen. OS CVE-2015 -7755 – Open. SSL CVE-2014 -0160 UNCLASSIFIED 2

Software Licensing Continuum Not licensed Public Domain MIT, Apache GPL Permissive Protective UNCLASSIFIED Who does this anymore? Freeware Shareware Lawyers Proprietary 3

Source Models Open Source / Free and Open Source Public Domain Permissive Protective Closed Source Freeware Shareware Proprietary § Open Source – 10 requirements: https: //opensource. org/osd § Free and Open Source Software (FOSS) – 4 freedoms: https: //www. gnu. org/philosophy/free-sw. html § Open Source ≠ Free and Open Source – See: https: //www. gnu. org/philosophy/open-source-misses-the-point. html UNCLASSIFIED 4

Business Models Public Domain Open Core Permissive Open Core Services Protective Donations UNCLASSIFIED Freeware Shareware Proprietary Free trial Purchase 5

Development Models § Proprietary § Open Source – Steward / Governance § Company § Foundation § BDFL – Community development processes § Limited community contributions – Public milestone releases – Publicly visible development (source, roadmap, etc. ) § Open, community driven UNCLASSIFIED 6

Just Trust Open Source Pros: § Freedom Cons: § Eyeballs also looking for exploits § Broad developer base § Support varies – Audit (provenance, vetting) – Control your destiny (bug fixes, features) § Crowd sourcing – ”Given enough eyeballs, all bugs are shallow. " (Linus Torvalds) UNCLASSIFIED 7

Just Trust Proprietary Pros: § Support is more common § No prying eyeballs (hopefully!) § Limited / controlled developer base § Financial interests may lead to more focused attention Cons: § No freedom – No auditing (possibly even discouraged) – At the mercy of the code’s owner § Potentially fewer resources for vetting § Black box development UNCLASSIFIED 8

Case Study: VPN § What is VPN? (client-to-site, site-to-site) UNCLASSIFIED 9

Juniper Screen. OS § Operating system for the Net. Screen line of security devices from Juniper Networks § Acquired by Juniper Networks in $4 B acquisition of Netscreen Technologies (2004) § Continues to exist in parallel with Junos OS UNCLASSIFIED 10

Juniper Screen. OS CVE-2015 -7755 “During a recent internal code review, Juniper discovered unauthorized code in Screen. OS that could allow a knowledgeable attacker to gain administrative access to Net. Screen® devices and to decrypt VPN connections. ” UNCLASSIFIED 11

Juniper Screen. OS CVE-2015 -7755 “gain administrative access” UNCLASSIFIED 12

Juniper Screen. OS CVE-2015 -7755 “decrypt VPN connections” UNCLASSIFIED 13

Open. SSL § Software library for secure communications over computer networks; also a general-purpose cryptography library § Used by open source web servers like Apache and nginx with a combined 66% market share of active web sites according to Netcraft's April 2014 Web Server Survey § Also used to protect email servers (SMTP, POP and IMAP protocols), chat servers (XMPP protocol), virtual private networks (SSL VPNs), network appliances and wide variety of client side software UNCLASSIFIED 14

Open. SSL CVE-2014 -0160 § Bug in Open. SSL implementation of TLS heartbeat extension (RFC 6520) § Allows attacker to read memory of vulnerable systems; compromising private information (e. g. keys, passwords, etc. ) and thus enabling an attacker to eavesdrop, steal data and/or impersonate services and users. UNCLASSIFIED 15

Open. SSL CVE-2014 -0160 UNCLASSIFIED 16

Conclusion § Open Source vs Proprietary: Who do you trust? § Just Trust. . . Open Source – Freedom to audit – Crowd sourcing § Just Trust. . . Proprietary – No prying eyeballs (hopefully!) – Limited / controlled developer base § No one-size-fits-all solution UNCLASSIFIED 17

Credits § § Slide 3 – Graphic Adapted From https: //www. phase 2 technology. com/blog/open-source-licensing-part-2 -software-licensing-is-a-continuum – SQLite Logo By Part of the SQLite documentation, which has been released by author D. Richard Hipp to the public domain. SVG conversion by Mike Toews. SVG created from sqlite 370. eps, distributed with version 3. 7. 2 documentation, Public Domain, https: //commons. wikimedia. org/w/index. php? curid=11675072 – Apache HTTP Server Logo By The Apache Software Foundation - From File: ASF-logo (2016). svg, edited in Inkscape: rotated to match the design of File: Apache HTTP server logo (2016). png and some cleanup; optimised using Scour. , Apache License 2. 0, https: //commons. wikimedia. org/w/index. php? curid=47190352 – Linux Logo By Larry Ewing, Simon Budig, Garrett Le. Sage - http: //www. home. unix-ag. org/simon/penguin/, garrett/Tux on Git. Hub, CC 0, https: //commons. wikimedia. org/w/index. php? curid=753970 – Doom Logo By Source, Fair use, https: //en. wikipedia. org/w/index. php? curid=33133525 – Windows Logo By Microsoft - File: Windows Server 2012 logo. svg, Public Domain, https: //commons. wikimedia. org/w/index. php? curid=45931123 Slide 4 – § Graphic Adapted From https: //www. phase 2 technology. com/blog/open-source-licensing-part-2 -software-licensing-is-a-continuum Slide 5 – Graphic Adapted From https: //www. phase 2 technology. com/blog/open-source-licensing-part-2 -software-licensing-is-a-continuum – SQLite Logo By Part of the SQLite documentation, which has been released by author D. Richard Hipp to the public domain. SVG conversion by Mike Toews. SVG created from sqlite 370. eps, distributed with version 3. 7. 2 documentation, Public Domain, https: //commons. wikimedia. org/w/index. php? curid=11675072 – Apache HTTP Server Logo By The Apache Software Foundation - From File: ASF-logo (2016). svg, edited in Inkscape: rotated to match the design of File: Apache HTTP server logo (2016). png and some cleanup; optimised using Scour. , Apache License 2. 0, https: //commons. wikimedia. org/w/index. php? curid=47190352 – Linux Logo By Larry Ewing, Simon Budig, Garrett Le. Sage - http: //www. home. unix-ag. org/simon/penguin/, garrett/Tux on Git. Hub, CC 0, https: //commons. wikimedia. org/w/index. php? curid=753970 – Doom Logo By Source, Fair use, https: //en. wikipedia. org/w/index. php? curid=33133525 – Windows Logo By Microsoft - File: Windows Server 2012 logo. svg, Public Domain, https: //commons. wikimedia. org/w/index. php? curid=45931123 – Red Hat Logo By Source, Fair use, https: //en. wikipedia. org/w/index. php? curid=25998353 – Redis Logo By Source (WP: NFCC#4), Fair use, https: //en. wikipedia. org/w/index. php? curid=40127986 UNCLASSIFIED 18

Credits § § Slide 6 – Apache Software Foundation Logo By The Apache Software Foundation (ASF) - http: //www. apache. org, Apache License 2. 0, https: //commons. wikimedia. org/w/index. php? curid=47211111 – Linus Torvalds Portrait By Krd (photo)Von Sprat (crop/extraction) - File: Linux. Con Europe Linus Torvalds 03. jpg, CC BY-SA 4. 0, https: //commons. wikimedia. org/w/index. php? curid=54706023 – Android Logo By Google - File: Android robot. svg, https: //android. com, CC BY 3. 0, https: //commons. wikimedia. org/w/index. php? curid=44801497 – Open. SSL Logo By Open. SSL authors - http: //openssl. com/images/openssl-logo. png, Public Domain, https: //commons. wikimedia. org/w/index. php? curid=37241357 Slide 9 – § § Source: https: //rpw. sh/blog/2015/12/21/the-backdoored-backdoor/ Slide 14 – § Image: https: //blog. rapid 7. com/content/images/post-images/50613/ssh. png Slide 13 – § Source: https: //forums. juniper. net/t 5/Security-Incident-Response/Important-Announcement-about-Screen. OS/ba-p/285554 Slide 12 – § Image: https: //www. juniper. net/documentation/hardware/netscreen-appliances 50/ug_5 xt. pdf Slide 11 – § Image By Ludovic. ferre (talk · contribs) - Own work, CC BY-SA 4. 0, https: //commons. wikimedia. org/w/index. php? curid=10101288 Slide 10 Open. SSL Logo By Open. SSL authors - http: //openssl. com/images/openssl-logo. png, Public Domain, https: //commons. wikimedia. org/w/index. php? curid=37241357 Slide 15 – Source: http: //heartbleed. com – Image: http: //heartbleed. com/heartbleed. png Slide 16 – Image By Fenix. Feather - Own work, CC BY-SA 3. 0, https: //commons. wikimedia. org/w/index. php? curid=32276981 UNCLASSIFIED 19