[Openswan Users] Volunteer tcl script writer needed for openswan application

John A. Sullivan III jsullivan at opensourcedevel.com
Sat Mar 11 18:34:47 CET 2006

The ISCS open source network security management project
(http://iscs.sourceforge.net) could use some volunteer assistance from
someone who can adapt bash scripts to tcl for the creation of
configuration files and implementing dynamic changes on production
devices devices using *swan, openvpn and iptables.  If you are
interested and able to assist, please contact me using the details in my
signature below.  For more information, please continue reading.

We have added support for the Secure Computing / CyberGuard / SnapGear
SG series of devices so that they can be managed using ISCS with no
change to firmware.  The SG580 devices are working fine in production
but the SG570 devices use sash instead of bash.  We can get around the
limitations of bash by using the tcl interpreter.  However, we have no
one on the team with tcl experience.

ISCS could be described as an open source alternative to very expensive
products for managing large, enterprise network security deployments
such as Solsoft or Provider1.  Actually, it does much more and has no
commercial equivalent.  It has allowed us to implement complex,
perimeter style security within the perimeter to affordably create truly
segmented and multi-layered networks with a minimum of labor.  We have
initially focused on iptables and have implemented only a small portion
of the *swan functionality.  We hope to change that soon.

To give an idea of what it does, a recent production deployment of
internal network security for a global manufacturer would have required
well in excess of 100,000 iptables rules.  ISCS reduced that rule set to
roughly 13,000 rules, only requires traversal of a small subset of those
rules for any new packet, generated those rules in a couple of hours and
distributed them to all devices automatically at the click of a button
within a couple of minutes.  ipset could probably reduce the rule set
tenfold again.  Any ipset experts out there interested in helping?

In comparison, if one had to write 13,000 rules at 20 seconds per rule,
that would be 72 hours -- at one minute per rule, 217 hours.  150,000
rules would take 833 hours at 20 seconds and 2,500 hours at one minute
per rule.

All this with a dramatic reduction in exposure to human error (one can
imagine the danger of a typo or out of order rule in 150,000 line rule

At the same time, we distribute all the information needed to apply this
security dynamically to *swan and openvpn remote access users.  When
they connect, their extended credentials (e.g., X.509 DN) are used to
dynamically alter access control and their extended credentials are used
throughout the WAN without reliance upon spoofable virtual IP addresses
(even in cases like openvpn where a virtual IP address is used for other
reasons).  Furthermore, the data in the network-to-network tunnels is
secured in the same manner.

Once we add full support for *swan and openvpn, we will also
automatically generate and distribute all the configuration files as
well as issue dynamic changes to the VPN at the click of the same button
and with the same efficiency as we now do for iptables.

If you are interested and can help, we would greatly appreciate your
assistance.  Thanks - John
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

Financially sustainable open source development

More information about the Users mailing list