ZeroShell(by(Fulvio(Ricciardi(

Riunione(NetGroup((

Cosa%è%Zeroshell%

•  E’(una(distribuzione(Linux(che(fornisce(i(principali(servizi(di(rete(

•  Configurabile(via(web(–  Il(nome(ZeroEShell((SenzaEShell)(significa(che(la(configurazione(dovrebbe(avvenire(esclusivamente(via(Web.(L’accesso(alla(shell(è(comunque(possibile(

•  I(siL(web(sono:(–  hNp://www.zeroshell.net/((((((((((((((Italiano)(–  hNp://www.zeroshell.org/((((((((((((((Inglese)(

CNAF(31/03/2014( ZeroShell(by(Fulvio(Ricciardi( 2(

I%principali%Servizi%offer5%da%Zeroshell%

•  RouLng(e(Bridging(con(supporto(delle(VLAN(802.1q(•  Firewall(con(supporto(per(i(filtri(Layer(7(•  Traffic(Shaping(e(QoS(assegnando(banda(massima,(banda(garanLta(

e(priorità(in(base(alla(Lpologia(di(traffico(•  Load(Balancing(e(Failover(dei(collegamenL(WAN(•  VPN(siteEtoEsite(con(OpenVPN((TAP)(•  VPN(gateway(per(accessi(HostEtoELAN((OpenVPN,(IPSec/L2TP,(PPTP)(•  CapLve(Portal(con(backend(di(autenLcazione(Kerberos(5,(RADIUS,(

cerLficaL(X.509(e(SAML(v2(mediante(Shibboleth(•  Proxy(HTTP(trasparente(con(scansione(anLvirus(delle(pagine(web(•  Server(LDAP,(Kerberos(5,(RADIUS(con(accounLng,(DNS(e(DHCP(•  Access(Point(WiEFi(con(supporto(per(MulLple(SSID(

CNAF(31/03/2014( ZeroShell(by(Fulvio(Ricciardi( 3(

Live%CD%o%Installazione%su%Disco%(USB,%SATA,%PATA,%SCSI)%

•  La(parLzione(contenente(Zeroshell(è(sempre(una(ISO9660(•  /sbin(/bin(/lib(/usr(sono(Read(Only(((più(controllo(in(caso(di(intrusione)(•  Vengono(rimossi(gli(header(delle(librerie(e(i(tool(di(sviluppo(•  Esistono(distribuzioni(non(ufficiali(in(ReadEWrite(e(con(i(compilatori(

((((Zeroshell(Live(CD((((((SLOT(2)(

ParLzione(1(

ParLzione(2(

ParLzione(3(

/boot((Kernel(+(initrd)(

Zeroshell(Live(CD((((((SLOT(1)(

Profili((di((

Configurazione(

Installazione+su+Hard+Disk+o+Flash+USB+

ParLzione(4(

CNAF(31/03/2014( ZeroShell(by(Fulvio(Ricciardi( 4(

Boot(Manager(

CNAF(31/03/2014( ZeroShell(by(Fulvio(Ricciardi( 5(

Access%the%Repository%

Mul5ple%Configura5ons%using%the%Profile%Manager%

CNAF(31/03/2014( ZeroShell(by(Fulvio(Ricciardi( 7(

ALIX:(un(ommo(router(se(la(banda(richiesta(è(inferiore(a(100Mb/s(•  CPU(Geode(LX800(a(500MHz(a(bassissimo(consumo((20(ore(con(baNeria(tampone)(•  256MB(di(RAM((a(Zeroshell(ne(sono(sufficienL(100MB)(•  Sistema(su(Compact(Flash(•  Può(essere(dotato(di(interfaccia(WiFi(su(MiniPCI(•  Fino(a(30Mb/S(tramite(OpenVPN(•  Già(testato(per(portare(le(VLAN(di(INFNEdot1x(e(INFNEWeb(tramite(OpenVPN(con(tag(

802.1(•  Costo(inferiore(a(100,00€(

CNAF(31/03/2014( ZeroShell(by(Fulvio(Ricciardi( 8(

Soekris(Net6501E70(•  Intel(ATOM(Dual(Core(1600(MHz,(2(GB(RAM(DDR2(•  4(x(Intel(1Gb(Ethernet(,(1(x(1000BaseSX(Ethernet(for(Fiber(Link(on(PCIe(•  1(x(SSD(250GB(on(SATA(useful((for(ConnecLon(Tracking(logging(•  Tested(to(work(at(INFN(Lecce(on(1GBit(GARR(Link(as(Firewall(and(Traffic(

Shaper(at(the(same(Lme(•  ≈(350,00(Euro((Without(SSD(and(1000BaseSX(Interface)(

CNAF(31/03/2014( ZeroShell(by(Fulvio(Ricciardi( 9(

“MuleNo”(aNualmente(in(uso(per(l’accesso(al(GARR(@(INFN(Lecce(

•  Motherboard(Mini(ITX((E350M1(con(APU(Amd(EE350D(Dual(Core(((((53,00€(•  DualPort(Gigabit(NIC(PCIEE(Low(Profile(HP(PRO1000PT(NC360T(((((((((42,00€(•  KINGSTON(MEMORY(2GB(1333MHz(DDR3(((((((((((((((((((((((((((((((((((((((((((((18,00€(•  Case(Mini(ITX(con(Alimentatore((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((55,00€(•  HD(SSD(250GB((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((145,00€(

CNAF(31/03/2014( ZeroShell(by(Fulvio(Ricciardi( 10(

Test%di%scalabilità%sul%link%al%GARR%da%1Gbit/s%dell’APU%AMD%E350D%

•  Dalle(12(alle(14(si(è(avuto(un(traffico(medio(di(500Mb/s(in(ingresso(

•  Dal(Load(Average(si(nota(che(la(macchina(non(subisce(alcun(overhead((Firewall(+(QoS(+(L7(+(logging)(causato(da(tale(picco(

•  Il(grafico(del(Load(AVG(segue(invece(quello(del(numero(di(connessioni(TCP/UDP(

•  Con(quasi(6600(connessioni(TCP/UDP(l’APU(appare(sfruNato(al(8%((sono(2(Core)(

CNAF(31/03/2014( ZeroShell(by(Fulvio(Ricciardi( 11(

Hierarchically(organize(Net(Filter(rules(to(improve(the(performances(((

CNAF(31/03/2014( ZeroShell(by(Fulvio(Ricciardi( 12(

Explicitly%allows%traffic%from%the%Internet%to%the%LAN%

CNAF(31/03/2014( ZeroShell(by(Fulvio(Ricciardi( 13(

Making%a%Firewall%Rule%

CNAF(31/03/2014( ZeroShell(by(Fulvio(Ricciardi( 14(

Connec5on%Tracking%logs%any%TCP/UDP%Connec5on%

CNAF(31/03/2014( ZeroShell(by(Fulvio(Ricciardi( 15(

Shaping%the%traffic%(Priority,%Maximum%and%Guaranteed%Bandwidth)%

CNAF(31/03/2014( ZeroShell(by(Fulvio(Ricciardi( 16(

Using%L7%Filters%for%easily%classify%the%traffic%

CNAF(31/03/2014( ZeroShell(by(Fulvio(Ricciardi( 17(

LAN%To%LAN%Virtual%Private%Networks%with%OpenVPN%

CNAF(31/03/2014( ZeroShell(by(Fulvio(Ricciardi( 18(

TAP(devices(instead(of(TUN(for(bridging(and(802.1q(VLANs(support(

CNAF(31/03/2014( ZeroShell(by(Fulvio(Ricciardi( 19(

VPN%Bonding%to%increase%Layer%2%Bandwidth%by%balancing%WAN%Links%

CNAF(31/03/2014( ZeroShell(by(Fulvio(Ricciardi( 20(

Road%Warrior%OpenVPN%(Kerberos%5,%RADIUS,%X.509%Authen5ca5on)%

CNAF(31/03/2014( ZeroShell(by(Fulvio(Ricciardi( 21(

Password%Authen5ca5on%on%mul5ple%domains%(RADIUS%and/or%Kerberos%5)%

CNAF(31/03/2014( ZeroShell(by(Fulvio(Ricciardi( 22(

Mul5ple%Internet%Connec5ons%with%Failover%and%Load%Balancing%

CNAF(31/03/2014( ZeroShell(by(Fulvio(Ricciardi( 23(

Cap5ve%Portal%as%Network%Access%Control%

CNAF(31/03/2014( ZeroShell(by(Fulvio(Ricciardi( 24(

Mul5ple%Authen5ca5on%Domain%RADIUS/K5%and%X.509%Access%

CNAF(31/03/2014( ZeroShell(by(Fulvio(Ricciardi( 25(

Cap5ve%Portal%Authen5ca5on%against%a%SAML%Iden5ty%Provider%

CNAF(31/03/2014( ZeroShell(by(Fulvio(Ricciardi( 26(

RADIUS%Accoun5ng%for%Cap5ve%Portals%and%802.1x%Access%Points%

CNAF(31/03/2014( ZeroShell(by(Fulvio(Ricciardi( 27(

Zerotruth:%un’estensione%del%Cap5ve%Portal%e%dell’%Accoun5ng%

CNAF(31/03/2014( ZeroShell(by(Fulvio(Ricciardi( 28(

HTTP%Transparent%Proxy%with%ClamAV%Virus%Scanning%

CNAF(31/03/2014( ZeroShell(by(Fulvio(Ricciardi( 29(

Monitoring%with%efMail%and%SMS%Alerts%

CNAF(31/03/2014( ZeroShell(by(Fulvio(Ricciardi( 30(

Recipients%based%on%Alert’s%Severity%

CNAF(31/03/2014( ZeroShell(by(Fulvio(Ricciardi( 31(