UbuntuNetworkApplicanceEdition

Please check the status of this specification in Launchpad before editing it. If it is Approved, contact the Assignee or another knowledgeable person before making changes.

  • Launchpad Entry: https://blueprints.launchpad.net/ubuntu/+spec/ubuntu-network-appliance-edition

  • Packages affected:

Summary

A version of Ubuntu (based provisionally on 8.04 LTS Server edition) that is optimised for "network appliance" tasks, including, Firewall, Load balancer (sticky as well as Round Robin), Intrusion Detection and SSL acceleration. Such a version would include a mechanism for clustering such appliances in a dynamic manner (heart-beating?), and policy management of a network of such devices. It would also need a hardened version of Ubuntu Server Edition specifically excluding any standard packages not explicitly required for such functionality.

Release Note

This is proposed an an alternate version of Ubuntu, based around Server.

Rationale

Ubuntu Desktop(s) and Ubuntu Server editions have well-defined use cases.

There is, however, some level of demand to deploy a free "network infrastructure appliance", which combines the roles of Firewall, Load Balancer, SSL accelerator and IDS server.

It is, of course, possible to add packages to server edition to meet this requirement, but that only goes half-way. In addition to adding the appropriate packages, it is also necessary to harden the operating system beyond the requirements of a normal server, by removing all packages not absolutely required for the task. (A package that plain isn't there is less of a security risk than one sitting unconfigured, or locked down within an application-specific security model.)

A customised version of Ubuntu, going beyond the likes of SmoothWall/IPCop by adding the extra features, would help uptake in a market currently dominated by proprietary vendors.

Use Cases

Firewall:

- Hardened version of Ubuntu running IPChains (or alternative.) - Ideally with something like "HeartBeat" installed as standard to deploy in pairs

Load Balancer:

- As Firewall, but running UltraMonkey (or alternative.)

SSL Accelerator:

- Initially, running an accelerating proxy on a standard Linux build - As a later project, building in support for hardware SSL acceleration cards to take load off-CPU

Assumptions

The core assumption is that is an inherent demand for such a thing, and that building a version of Ubuntu pre-hardened and including the appropriate packages would make deploying Ubuntu-based infrastructure safer, faster, and better than taking Server Edition, hardening by hand, and adding the packages.

Design

1: Add the packages we need:

- Firewall (IPChains?) - LoadBalancer (UltraMonkey 3?) - SSL Accelerator (effectively, web proxy with SSL termination) (???)

2: Remove the stuff in Server edition we don't need:

- Email - Databases - PHP / Perl / Ruby (unless needed by above) - All other packages not explicitly required by the above

Realistically, in "phase 1", configuration would be by SSH and a text editor (nano?). In "phase 2", an integrated "text-GUI" that allowed joined-up configuration of a single server. In "phase 3", a GUI that allowed configuration / interrogation of multiple servers (probably a separate package that ran on 'Desktop) rather than something that ran on this edition.

Implementation

Step 1: Discussion of whether there is actually a demand for this.

Step 2: Selection of a "base platform". (8.04 LTS proposed for discussion?)

Step 3: Decision on the packages required for this functionality

Step 2: Review of all the packages that should be removed for hardening

UI Changes

Realistically, in "phase 1", configuration would be by SSH and a text editor (nano?). In "phase 2", an integrated "text-GUI" that allowed joined-up configuration of a single server. In "phase 3", a GUI that allowed configuration / interrogation of multiple servers (probably a separate package that ran on 'Desktop) rather than something that ran on this edition.

Code Changes

Potentially none. This is a "package selection" thing, not a "new code" thing.

Migration

None.

Test/Demo Plan

???

Outstanding Issues

Many - the core being "is there a demand" Smile :-)

BoF agenda and discussion

...


CategorySpec CategorySpec

UbuntuNetworkApplicanceEdition (last edited 2008-08-06 16:23:27 by localhost)