Michael Tremer

Feature Highlights IPFire 2.15 #1: Hardening the system
by Michael Tremer, January 5, 2014

IPFire 2.15 is approaching and before we release it for you all, we would like to show you what is waiting for you.

The IPFire distribution it not based on any other Linux distribution as for example Knoppix is based on Debian. We build the entire system from source so that we, the IPFire developers, get to choose which programs and libraries we want to include and which not. We can also configure all software packages in the way we want them and we don’t have to make compromises because the purpose of the IPFire system is well defined: being a slink router/firewall distribution based on Linux.

This is one of the most important reasons for us why we do all the hard work and don’t just pull in from an other distribution that has a completely different design in mind. It allows us the flexibility we need to do what is right for a system that sits at the core of your network and is connected to the Internet – blocking all unauthorized access to your network.

In the upcoming version of IPFire 2.15, we backported some of the most essential new features of IPFire 3: A grsecurity-patched kernel and enabling the GCC stack-smashing protector and position-independent executables (PIE) in the userland.

Don’t be afraid. I don’t want to shock you with the complicated term. Here is what it really is in laymen’s terms:

Hardening the kernel

The grsecurity patchset is applied to the Linux kernel adds proactive security. That means instead of patching security issues all the time, it hardens the kernel against zero-days and other advanced threats. It makes attacks that try to gain root permissions on the system much harder and also extends the logging of any failed attempts that get blocked, too.
grsecurity enhanced the protection of services inside a chroot environment and massively decreases the chance of breakouts of other things that attackers can do inside of them to damage the system.

It also ships PaX that implements ASLR, which is a technique that makes most exploits impossible to execute. It also enforces that memory pages are either writeable or executable, but never both at the same time. Therefore, injected code can never be executed and cannot harm your firewall.

grsecurity is licensed under the GPL. On their homepage you will find a lot more detail and even research papers about how it works and what it can actually do.

Hardening the user land

In the user space, things are not just as hard to understand as in the kernel space. We are compiling all programs in the way that ASLR and PIE work and you won’t even notice. Nothing changes here, except that all programs are automatically better protected by the kernel. If you add your own code, make sure to recompile it or it may not want to execute at all, because it may be considered harmful.

On top of that, we updated some of the most essential system libraries to fix potential security issues and to protect from known attack vectors.

As we do with every release, we would like to encourage all of you to help us testing. Especially the major versions come with lots and lots of new features and functionality, that the IPFire team cannot test on its own. There are so many different configurations, setups, use-cases and environments that we cannot build in the lab. To save us, yourselves and your fellow IPFire users some trouble, please take some minutes of time and contribute! We appreciate it very much.

Posted: January 5, 2014 • 3019 views