Main goal of the project is to build open, modular, standard
compliant, framework for management of network's security
resources. It should be runnable in some time also ; )
So another GUI to manage your iptables? Not exactly.
The World is demanding integration. Strictly speaking it is
demanding integrated, uniform and smooth management. OK, I
know that above mentioned iptables taste best if managed by
hand crafted scripts. But imagine administering the network
with 8 such gateways, half of which are clusters, with these
scripts. And there is a lot of complicated NAT rules, and VPN
connections... And, I would forget, of course each gateway
stands in other department having different purpose and
ruleset. That would be nightmare. This is why (mostly), people
are choosing commercial software.
But, hey... Linux is capable of doing all the things which
commercial software provides (ok, maybe 98% : )):
- if you demand world class stateful firewall...
yes (surprise) iptables
- if you want to perform traffic shaping or lot's of
really mysterious routing alchemy, look at Linux' kernel
Advanced Routing features, and
iproute2, an
user space configuration utility
- if you want to create VPN gateway, Free/SWAN gives you
all the valuable parts of IPsec standard (except some low
grade algorithms) and, additionally, so called
Opportunistic Encryption
- in case you were looking for IDS/NIDS the
Tripwire/Snort pair could came into play...
- ...and if the quality of available free fingerprint
databases does not satisfy you, there are commercial ones
offered for Snort
Still, every tool has it's own interface, requirements and tricks.
That is the place, where OSA (will) come in. Imagine, that
there is one tool, which offers you:
- unified abstraction of the device, you are enforcing
policy on (i.e. it belongs to some class capable of some
actions [like VPN Gateway], but independent of particular
vendor), which is object of your action
- unified look of various network objects (address range,
host, gateway, group of other objects...) that can be
subject of your action
- unified management interface (you may prefer to access
your administrator account by GUI, commandline, web
browser ...)
- component based system, in which you can exchange
particular modules if you do not like the implementation.
- and last, but not least some kind of help in resolving
potential conflicts between various settings
Additionally:
- is standard compliant
- is Open Source
- offers you management only, leaving the vast security
stuff to some well known, well trusted, well tested
workhorses (in contrary to some commercial products which
are trying to deliver end to end system)
Of course not all components of this system will be added at
once. At the beginning I would like to maintain the
universality of interfaces, while providing some reference
implementations for some kind of policy enforcement devices.
Stay tuned...
More details are to be found in
documentation section.
