{"id":2948,"date":"2018-06-02T10:01:39","date_gmt":"2018-06-02T14:01:39","guid":{"rendered":"http:\/\/chrisgrundemann.com\/?p=2948"},"modified":"2022-05-05T14:46:04","modified_gmt":"2022-05-05T18:46:04","slug":"open-source-network-security-cumulus-linux","status":"publish","type":"post","link":"https:\/\/chrisgrundemann.com\/index.php\/2018\/open-source-network-security-cumulus-linux\/","title":{"rendered":"Open Source Network Security with Cumulus Linux"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">Networks are changing. More and more we\u2019re hearing terms like whitebox, britebox, disaggregation, NOS, commodity hardware, and open source when we talk about the future of networking. I\u2019ll assume you get that and spare you a description of these terms here. If you do want a crash course on network disaggregation and how it relates to orchestration\/SDN, check out <\/span><a href=\"http:\/\/packetpushers.net\/simplified-approach-sdn-network-disaggregation\/\"><span style=\"font-weight: 400;\">my previous post on the Packet Pushers blog<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">With that bit of housekeeping out of the way, let\u2019s dig right into today\u2019s topic: Open source network security.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">First, why does <a href=\"https:\/\/chrisgrundemann.com\/index.php\/category\/security\/\">security<\/a> matter? If you\u2019re like most network engineers, your primary goal typically is to get bits of data from one place to another. Anything that interferes with the free flow of packets and frames is a potential problem. So the goals of security can at first appear contrary to those of the network. Raise your hand if you\u2019ve ever been frustrated by a firewall rule or some seemingly arcane security policy!<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Unfortunately, we no longer have the luxury of ignoring security. Today\u2019s network is one of the most crucial pieces of IT infrastructure for any organization and for the economies we operate in. It simply must work, which leaves us no time to deal with interruptions from malicious activities or bad actors.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In fact, if we look at security from the highest levels, it\u2019s all about three things: confidentiality, integrity and availability. Even the most hard-nosed network engineer should recognize these ideals. Isn\u2019t that exactly what is needed to design, build and operate a trusted, reliable network?<\/span><\/p>\n<p><span style=\"font-weight: 400;\">This probably isn\u2019t news to you. The demands for security are mounting just as quickly and forcefully as the demands for a more pervasive, resilient network. So how do you meet these demands? One way to build a flexible, cost-effective and programmable network is to leverage disaggregation and open source software. But is that safe? Can we have security and flexibility? Can we build an open source network for mission critical applications, or do we need to rely on manufacturers who provide proprietary software to ensure the level of security needed in today\u2019s networks?<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In this post, I\u2019ll use Cumulus Linux as a case study for secure open networking, and answer those exact questions.<\/span><\/p>\n<h2><span style=\"font-weight: 400;\">Open Source Security<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">Before we can answer the question of open source software\u2019s impact on the security of a network, we need to look at the security of open source itself.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">As you know, the defining characteristic of open source software is that the source code is made publicly available to all. This is in contrast to proprietary, closed source software where the company who writes the code keeps it a secret.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">This distinction is also the root of the most contentious security debate between open source and proprietary software in general. <\/span><\/p>\n<p><span style=\"font-weight: 400;\">Proponents of proprietary software will tell us that publishing the source code of open source software allows bad actors to easily identify, understand and exploit security flaws in the software. Anyone can download and examine it! They will go on to say that proprietary software is thus safer, because the code is a secret, and that it is much harder to reverse engineer security flaws than it is to simply find them in open code repositories. OK, makes sense.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">On the other side of this debate are the open source proponents who will tell you that sunlight is the best disinfectant. That is, that more eyes on the code means better software because a wide and diverse community of developers is able to review the code, identify flaws and fix them directly. No need to wait for the vendor to accept your request and make the needed changes. Now <\/span><i><span style=\"font-weight: 400;\">that\u2019s<\/span><\/i><span style=\"font-weight: 400;\"> interesting!<\/span><\/p>\n<p><span style=\"font-weight: 400;\">This open versus closed debate is one that seems to have been largely settled in the cryptography space and captured in what is called \u2018Kerckhoff\u2019s Principle,\u2019 which reads; \u201c<\/span><i><span style=\"font-weight: 400;\">A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.<\/span><\/i><span style=\"font-weight: 400;\">\u201d Meaning that the best system does not rely on secrets to be secure, but rather on robust engineering. This is essentially the opposite of \u2018security through obscurity\u2019 and was further refined by Claude Shannon into the following maxim: \u201c<\/span><i><span style=\"font-weight: 400;\">one ought to design systems under the assumption that the enemy will immediately gain full familiarity with them.<\/span><\/i><span style=\"font-weight: 400;\">&#8220;<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Bruce Schneier, a world renowned security expert, <\/span><a href=\"https:\/\/www.schneier.com\/crypto-gram\/archives\/1999\/0915.html#OpenSourceandSecurity\"><span style=\"font-weight: 400;\">explained this in a newsletter<\/span><\/a><span style=\"font-weight: 400;\">, back in 1999: \u00a0&#8220;<\/span><i><span style=\"font-weight: 400;\">In the cryptography world, we consider open source necessary for good security; we have for decades. Public security is always more secure than proprietary security. It&#8217;s true for cryptographic algorithms, security protocols, and security source code. For us, open source isn&#8217;t just a business model; it&#8217;s smart engineering practice.<\/span><\/i><span style=\"font-weight: 400;\">&#8221; He goes on to push back on the idea that being public is itself a flaw: &#8220;<\/span><i><span style=\"font-weight: 400;\">Public algorithms are designed to be secure even though they are public; that&#8217;s how they&#8217;re made. So there&#8217;s no risk in making them public. If an algorithm is only secure if it remains secret, then it will only be secure until someone reverse-engineers and publishes the algorithms.<\/span><\/i><span style=\"font-weight: 400;\">\u201d Finally he talks about the speed with which flaws can be worked out of open versus closed source systems: \u201c<\/span><i><span style=\"font-weight: 400;\">So a two year-old piece of open source code is likely to have far fewer security flaws than proprietary code, simply because so many of them have been found and fixed over that time. Security flaws will also be discovered in proprietary code, but at a much slower rate.<\/span><\/i><span style=\"font-weight: 400;\">\u201d<\/span><\/p>\n<p><span style=\"font-weight: 400;\">There is, however, a potential flaw in this argument when we\u2019re talking about open source code in general. In order for openness to result in additional security (and fewer bugs overall), we need to ensure that it is in fact being reviewed. Luckily for our case study, Cumulus Linux is based on Linux, one of the most reviewed open source code bases on the planet. This is true of most open NOS\u2019s, so it\u2019s worth taking a look more specifically at Linux itself.<\/span><\/p>\n<h2><span style=\"font-weight: 400;\">Linux Security<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">In addition to being an open source operating system, Linux is one of the most prominent and popular examples of free and open source software ever.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Knowing that, it is likely not surprising that the Linux model creates security through transparency. With its large base of developers from all over the world, across many industries, communities and organizations, we can be fairly certain that Linux is getting all of the expert attention needed to ensure swift identification and eradication of security flaws.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Debian Linux<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">One specific detail that is pertinent to our current case study is that Cumulus Linux leverages the Debian distribution of Linux. It is instructive then to take a look at the <\/span><a href=\"https:\/\/www.debian.org\/security\/\"><span style=\"font-weight: 400;\">Debian Linux security policies<\/span><\/a><span style=\"font-weight: 400;\">: \u201c<\/span><i><span style=\"font-weight: 400;\">Debian takes security very seriously. We handle all security problems brought to our attention and ensure that they are corrected within a reasonable timeframe. Many advisories are coordinated with other free software vendors and are published the same day a vulnerability is made public and we also have a Security Audit team that reviews the archive looking for new or unfixed security bugs. Experience has shown that security through obscurity does not work. Public disclosure allows for more rapid and better solutions to security problems.<\/span><\/i><span style=\"font-weight: 400;\">\u201d<\/span><\/p>\n<p><span style=\"font-weight: 400;\">With a wide community developing, testing and supporting Debian, it becomes nearly impossible for bad actors (think state actors, malicious hackers and others) to insert backdoors or other intentional security flaws because they would simply be caught by the experts who are constantly reviewing the code. Contrast this with proprietary systems, where only a privileged set of employees from one group in one company has access to the code. It appears obvious which system has the potential to be more secure.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Linux Security Tools<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">In addition to all the expert eyes pursuing the code, reviewing changes and providing transparent security announcements, Linux offers many native security tools. These tools are available to any system based on a full and open Linux distribution. Let\u2019s look briefly at a few of them.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">A <\/span><a href=\"https:\/\/en.wikipedia.org\/wiki\/Pluggable_authentication_module\"><span style=\"font-weight: 400;\">pluggable authentication module (PAM)<\/span><\/a><span style=\"font-weight: 400;\"> is a mechanism to integrate multiple low-level authentication schemes into a high-level application programming interface (API). It\u2019s a one stop shop for authentication that has been available as a stand-alone offering since 1996. Imagine how many expert eyes have reviewed and ensured its robustness in those twenty plus years! Cumulus uses PAM to control the length and strength of passwords and ensure solid defaults. This can be enhanced with packages such as the libpam_pwquality and pam_cracklib, which are available on the Debian repository.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Another password related tool is the libsnmp-dev package that can be installed on an open Linux device to prevent the use of cleartext passwords with SNMPv3. <\/span><\/p>\n<p><span style=\"font-weight: 400;\">While strong passwords can help keep unauthorized users from logging into a network device, we also have to be vigilant of many other forms of attack and malicious traffic. To view and control the ports open on a Linux device, we have tools such as netstat and systemctl. There is also a suite of Linux netfilter tools (iptables, ip6tables, and ebtables) to identify and filter specific IPv4, IPv6 and layer 2 datagrams. Oh, and don\u2019t forget the denyhosts utility (available on the Debian repository) for helping to prevent SSH attacks.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Beyond these, there is a list of additional tools too long to dig into here. Things like snort, pfsense and clamav are all available to increase the security of an open network device and the networks it is connected to.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Proprietary Linux<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">Some of you may be thinking, \u201cSo what? My favorite big name IT vendor uses a Linux\/BSD kernel, so I\u2019m already getting all of this, right?\u201d<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Well, not necessarily. Just because something uses a *nix kernel under the hood does not always guarantee the same advantages that an open NOS provides. In fact, it is quite likely that the very act of making the operating system proprietary actually negates many of these advantages.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Right off the bat, you lose the ability to immediately apply community patches to discovered security flaws. Because the system is now proprietary, you are forced to wait for the vendor to identify, accept and test the patch on their modified version of the software. Think of <\/span><a href=\"https:\/\/www.howtogeek.com\/129273\/why-your-android-phone-isnt-getting-operating-system-updates-and-what-you-can-do-about-it\/\"><span style=\"font-weight: 400;\">the lag<\/span><\/a><span style=\"font-weight: 400;\"> between pure vanilla Android updates and those provided by large phone manufacturers that repackage Android into their own particular flavor.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Even worse, the folks who implemented the proprietary system could have included old versions of open source packages, or made other mistakes that make the software less secure. And because these proprietary systems are closed source, there is no easy way to examine the code to identify such missteps. We have to just wait for someone to reverse engineer the software, or otherwise exploit the flaw. That is obviously less than ideal. And what about intentional weaknesses? Can you really trust any code that you aren\u2019t allowed to examine for yourself?<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Another major factor to consider with proprietary software, whether based on Linux or not, is your access. With an open NOS, you have full access to see and change anything you need. The level of visibility and granularity of control is hard to beat in any proprietary system. An open NOS also gives you the ability to install and use the widest array of additional packages and tools. Have you ever tried to run snort on a legacy monolithic networking device? Chances are you couldn\u2019t even attempt it.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">There are two caveats we need to address here:<\/span><\/p>\n<ol>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Networking vendors are obviously not offering closed source proprietary software with the intention of making it less secure. So why are they? One reason to consider is that by closing the system, offering less visibility and control, they are actually making it less prone to user error. Call this the guardrail effect, and be sure you are ready to own your destiny if you dive into fully open systems.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Many traditionally closed operating systems are being opened up to allow more access to run third party tools, use APIs, etc. Rather than a knock against open systems, this seems to be a validation of the model, and an indicator of where the future might lie.<\/span><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">Whether a vendor builds proprietary software for more control, more profit or more features, the fact remains that closed source systems are islands that will never be as fully explored as open source systems. There is just no way that more people are using any one proprietary NOS than are using Linux. Thus, there will always be more expert eyes looking out for (and correcting) problems in the latter than in the former.<\/span><\/p>\n<h2><span style=\"font-weight: 400;\">Cumulus Linux Security<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">So far we\u2019ve seen that open source software can be just as secure as proprietary software as long as there is an active community of experts reviewing the code \u2014 and that Linux has such a community. But how does that translate into networking and the security of a network built on open software? I\u2019m glad you asked. Using Cumulus Linux as our case study, we\u2019re going to dive down that rabbit hole right now.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The first thing worth pointing out is what doesn\u2019t change when going from a proprietary NOS to a more open one. Overall, the same security protocols and techniques are used in both. Cumulus Linux uses the industry standard OpenSSH suite, including support for local passwords, LDAP, TACACS+ and private keys. Cumulus makes available, and recommends using SNMPv3 for secure authentication and encryption of management traffic. Need a management VRF to keep that traffic separate? Check mark. And what about routing protocol security? Again, industry standard implementations of BGP, OSPF, BFDS, MD5, TTLs, etc.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Perhaps a bit more interesting and unique is how well Cumulus Linux is hardened by default:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">ZTP is disabled by default after the initial configuration process is complete. If you are reading this in early 2018, you\u2019ll know exactly how important that is!<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Telnet, ftp, tftp and other less secure access methods are disabled by default.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Cumulus Linux 3.6 and newer ships with direct login to the root account disabled by default.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">If local passwords are used, the obscure option is enabled by default, which requires a password of at least 6 characters in length, requires complex passwords and does not allow re-use or similarity of the old password for all non-root user accounts.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Cumulus provides control plane protection by default, and offers an additional method (<\/span><span style=\"font-weight: 400;\">The <\/span><a href=\"https:\/\/docs.cumulusnetworks.com\/display\/DOCS\/Default+Cumulus+Linux+ACL+Configuration\"><span style=\"font-weight: 400;\">default filters<\/span><\/a><span style=\"font-weight: 400;\"> are written directly into the hardware on the switchport interfaces, whether the protocol is active or not, and perform at line rate; no performance degradation occurs).<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">All logging in Cumulus Linux is done via the rsyslog mechanism with high precision timestamp logging on by default (<\/span><span style=\"font-weight: 400;\">Logins and attempted logins are logged by default in \/var\/log\/syslog).<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Cumulus does not enable SNMP by default for security reasons (<\/span><span style=\"font-weight: 400;\">To increase security by default, Cumulus Linux versions 3.6 and later only listen to SNMP traffic coming from the switch itself \u2014 accessing SNMP information from outside the box is disabled).<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Beyond secure defaults, Cumulus Linux offers several options for ensuring additional security. Here are a few that jumped out at me:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Secure Package Management: All Cumulus Linux packages are GNU Privacy Guard (GPG) signed. Also, you can Apt-get to a Cumulus repository using https for secure transfer of Cumulus packages.<\/span><\/li>\n<li style=\"font-weight: 400;\"><a href=\"https:\/\/docs.nvidia.com\/networking-ethernet-software\/cumulus-linux-42\/System-Configuration\/Netfilter-ACLs\/\"><span style=\"font-weight: 400;\">Enhanced Netfilter Abilities<\/span><\/a><span style=\"font-weight: 400;\">: Cumulus Linux goes further than Debian Linux by supporting additional targets such as SPAN, police and tricolor police.<\/span><\/li>\n<li style=\"font-weight: 400;\"><a href=\"http:\/\/ethancbanks.com\/2014\/08\/27\/what-is-prescriptive-topology-manager-ptm-dot\/\"><span style=\"font-weight: 400;\">Prescriptive Topology Manager (PTM)<\/span><\/a><span style=\"font-weight: 400;\">: This is a dynamic cabling verification tool that uses LLDP and an uploaded diagram to help detect and eliminate layer 0 errors. The check is performed on every link transition on each node in the network. It can also be used for OSPF unnumbered verification.<\/span><\/li>\n<li style=\"font-weight: 400;\"><a href=\"https:\/\/docs.nvidia.com\/networking-ethernet-software\/cumulus-linux-43\/Layer-1-and-Switch-Ports\/Buffer-and-Queue-Management\/Hardware-enabled-DDOS-Protection\/\"><span style=\"font-weight: 400;\">Hardware-Based DDOS Protection<\/span><\/a><span style=\"font-weight: 400;\">: This is only applicable to switches with a Broadcom Trident, Trident II or Tomahawk ASIC, so it is disabled by default.<\/span><\/li>\n<\/ul>\n<h2><span style=\"font-weight: 400;\">Summary<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">I can hear you from here: \u201cThat\u2019s great, Chris, but what does it all mean?!\u201d<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Before I answer that, I want to take a moment to talk a bit more about security in general. <\/span><\/p>\n<p><span style=\"font-weight: 400;\">When it comes to security, whether it\u2019s network security, cloud security, endpoint security, open source security, closed source security, or even personal security, there are no silver bullets. There is no single answer, no magic pill, no miraculous product that eliminates your need to plan thoughtfully and observe diligently. The most secure software on the planet is worthless if you fail to patch vulnerabilities as they are discovered. And they <\/span><i><span style=\"font-weight: 400;\">will<\/span><\/i><span style=\"font-weight: 400;\"> be discovered. Likewise, all the security products and services on the planet are worthless if you don\u2019t properly configure and implement them.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">All that is to say that ultimately, security is your responsibility. That is true when you buy proprietary software and when you implement open source software. It\u2019s true when you install physical devices and when you consume cloud resources. It is simply the way of the world.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">So, is open source software a network security risk? Only if you let it be. Linux, Cumulus Linux, and many open source projects provide you with all of the tools you need to operate a secure network, but at the end of the day, it\u2019s up to you to ensure they are used properly.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">If you want to learn all about how to secure Cumulus Linux for yourself, check out this <\/span><a href=\"https:\/\/cumulusnetworks.com\/learn\/web-scale-networking-resources\/white-papers\/securing-cumulus-linux\/\"><span style=\"font-weight: 400;\">whitepaper<\/span><\/a><span style=\"font-weight: 400;\">, and if you want to stay up to date on all things Cumulus security, subscribe to this <\/span><a href=\"https:\/\/lists.cumulusnetworks.com\/listinfo\/cumulus-security-announce\"><span style=\"font-weight: 400;\">mailing list<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/p>\n<p style=\"text-align: right;\"><em>This post first appeared <a href=\"https:\/\/cumulusnetworks.com\/blog\/open-source-software-security\/\">on the Cumulus Networks blog<\/a>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Networks are changing. More and more we\u2019re hearing terms like <a href=\"https:\/\/chrisgrundemann.com\/index.php\/2018\/open-source-network-security-cumulus-linux\/\"> &#8230;<\/a><\/p>\n","protected":false},"author":1,"featured_media":2949,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_post_was_ever_published":false},"categories":[836,24,27],"tags":[842,878,324,465,820,468,470,771,474,476,496,497,875,874,876,866,877],"class_list":["post-2948","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-networking","category-security","category-technology","tag-cumulus","tag-cumulus-linux","tag-infrastructure","tag-network","tag-network-disaggregation","tag-network-engineer","tag-network-engineers","tag-network-security","tag-networking","tag-networks","tag-open","tag-open-source","tag-open-source-code","tag-open-source-software","tag-proprietary-software","tag-security","tag-security-flaws"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v28.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Open Source Network Security with Cumulus Linux ~ Chris Grundemann<\/title>\n<meta name=\"description\" content=\"Networks are changing. More and more we\u2019re hearing terms like whitebox, britebox, disaggregation, NOS, commodity hardware, and open source when we talk about the future of networking. This begs the question: Is open source network security achievable?\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/chrisgrundemann.com\/index.php\/2018\/open-source-network-security-cumulus-linux\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Open Source Network Security with Cumulus Linux ~ Chris Grundemann\" \/>\n<meta property=\"og:description\" content=\"Networks are changing. More and more we\u2019re hearing terms like whitebox, britebox, disaggregation, NOS, commodity hardware, and open source when we talk about the future of networking. This begs the question: Is open source network security achievable?\" \/>\n<meta property=\"og:url\" content=\"https:\/\/chrisgrundemann.com\/index.php\/2018\/open-source-network-security-cumulus-linux\/\" \/>\n<meta property=\"og:site_name\" content=\"Chris Grundemann\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/chris.grundemann\" \/>\n<meta property=\"article:published_time\" content=\"2018-06-02T14:01:39+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-05-05T18:46:04+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/chrisgrundemann.com\/wp-content\/uploads\/2018\/06\/10854154014_5bb34a78f2_o.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"999\" \/>\n\t<meta property=\"og:image:height\" content=\"662\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"~Chris\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@https:\/\/twitter.com\/ChrisGrundemann\" \/>\n<meta name=\"twitter:site\" content=\"@ChrisGrundemann\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"~Chris\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"15 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/chrisgrundemann.com\\\/index.php\\\/2018\\\/open-source-network-security-cumulus-linux\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/chrisgrundemann.com\\\/index.php\\\/2018\\\/open-source-network-security-cumulus-linux\\\/\"},\"author\":{\"name\":\"~Chris\",\"@id\":\"https:\\\/\\\/chrisgrundemann.com\\\/#\\\/schema\\\/person\\\/16a6af2797267c7d91f29876d5a0870f\"},\"headline\":\"Open Source Network Security with Cumulus Linux\",\"datePublished\":\"2018-06-02T14:01:39+00:00\",\"dateModified\":\"2022-05-05T18:46:04+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/chrisgrundemann.com\\\/index.php\\\/2018\\\/open-source-network-security-cumulus-linux\\\/\"},\"wordCount\":2951,\"commentCount\":2,\"publisher\":{\"@id\":\"https:\\\/\\\/chrisgrundemann.com\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/chrisgrundemann.com\\\/index.php\\\/2018\\\/open-source-network-security-cumulus-linux\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/chrisgrundemann.com\\\/wp-content\\\/uploads\\\/2018\\\/06\\\/10854154014_5bb34a78f2_o.jpg\",\"keywords\":[\"Cumulus\",\"Cumulus Linux\",\"infrastructure\",\"network\",\"network disaggregation\",\"network engineer\",\"network engineers\",\"Network security\",\"networking\",\"Networks\",\"Open\",\"Open Source\",\"open source code\",\"open source software\",\"proprietary software\",\"Security\",\"security flaws\"],\"articleSection\":[\"Networking\",\"Security\",\"Technology\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/chrisgrundemann.com\\\/index.php\\\/2018\\\/open-source-network-security-cumulus-linux\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/chrisgrundemann.com\\\/index.php\\\/2018\\\/open-source-network-security-cumulus-linux\\\/\",\"url\":\"https:\\\/\\\/chrisgrundemann.com\\\/index.php\\\/2018\\\/open-source-network-security-cumulus-linux\\\/\",\"name\":\"Open Source Network Security with Cumulus Linux ~ Chris Grundemann\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/chrisgrundemann.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/chrisgrundemann.com\\\/index.php\\\/2018\\\/open-source-network-security-cumulus-linux\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/chrisgrundemann.com\\\/index.php\\\/2018\\\/open-source-network-security-cumulus-linux\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/chrisgrundemann.com\\\/wp-content\\\/uploads\\\/2018\\\/06\\\/10854154014_5bb34a78f2_o.jpg\",\"datePublished\":\"2018-06-02T14:01:39+00:00\",\"dateModified\":\"2022-05-05T18:46:04+00:00\",\"description\":\"Networks are changing. More and more we\u2019re hearing terms like whitebox, britebox, disaggregation, NOS, commodity hardware, and open source when we talk about the future of networking. This begs the question: Is open source network security achievable?\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/chrisgrundemann.com\\\/index.php\\\/2018\\\/open-source-network-security-cumulus-linux\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/chrisgrundemann.com\\\/index.php\\\/2018\\\/open-source-network-security-cumulus-linux\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/chrisgrundemann.com\\\/index.php\\\/2018\\\/open-source-network-security-cumulus-linux\\\/#primaryimage\",\"url\":\"https:\\\/\\\/chrisgrundemann.com\\\/wp-content\\\/uploads\\\/2018\\\/06\\\/10854154014_5bb34a78f2_o.jpg\",\"contentUrl\":\"https:\\\/\\\/chrisgrundemann.com\\\/wp-content\\\/uploads\\\/2018\\\/06\\\/10854154014_5bb34a78f2_o.jpg\",\"width\":999,\"height\":662,\"caption\":\"Open Source Network Security\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/chrisgrundemann.com\\\/index.php\\\/2018\\\/open-source-network-security-cumulus-linux\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/chrisgrundemann.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Security\",\"item\":\"https:\\\/\\\/chrisgrundemann.com\\\/index.php\\\/category\\\/security\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Open Source Network Security with Cumulus Linux\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/chrisgrundemann.com\\\/#website\",\"url\":\"https:\\\/\\\/chrisgrundemann.com\\\/\",\"name\":\"Chris Grundemann\",\"description\":\"Use technology, marketing, and strategy to take your growing business to the next level.\",\"publisher\":{\"@id\":\"https:\\\/\\\/chrisgrundemann.com\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/chrisgrundemann.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/chrisgrundemann.com\\\/#organization\",\"name\":\"Grundemann Technology Solutions\",\"url\":\"https:\\\/\\\/chrisgrundemann.com\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/chrisgrundemann.com\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/chrisgrundemann.com\\\/wp-content\\\/uploads\\\/2020\\\/10\\\/cropped-GTS-Logo.png\",\"contentUrl\":\"https:\\\/\\\/chrisgrundemann.com\\\/wp-content\\\/uploads\\\/2020\\\/10\\\/cropped-GTS-Logo.png\",\"width\":512,\"height\":512,\"caption\":\"Grundemann Technology Solutions\"},\"image\":{\"@id\":\"https:\\\/\\\/chrisgrundemann.com\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/ChrisGrundemann\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/grundemann\",\"https:\\\/\\\/www.linkedin.com\\\/in\\\/cgrundemann\\\/\",\"https:\\\/\\\/www.youtube.com\\\/channel\\\/UCJ3Pk4AAVMBG4KCzxYAtExA\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/chrisgrundemann.com\\\/#\\\/schema\\\/person\\\/16a6af2797267c7d91f29876d5a0870f\",\"name\":\"~Chris\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/cbff57968626714c5bdb525f740f898c0d1e506a63c350b6a3341e57337e7fc7?s=96&d=mm&r=pg\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/cbff57968626714c5bdb525f740f898c0d1e506a63c350b6a3341e57337e7fc7?s=96&d=mm&r=pg\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/cbff57968626714c5bdb525f740f898c0d1e506a63c350b6a3341e57337e7fc7?s=96&d=mm&r=pg\",\"caption\":\"~Chris\"},\"description\":\"Creative|Technologist. Curious. Boisterous. Autotelic Autodidact. Heretic. Hacker. Rider of Boards. Writer of Words. ...Traveler of Time...\",\"sameAs\":[\"https:\\\/\\\/chrisgrundemann.com\",\"https:\\\/\\\/www.facebook.com\\\/chris.grundemann\",\"http:\\\/\\\/instagram.com\\\/chrisgrundemann\",\"www.linkedin.com\\\/in\\\/cgrundemann\",\"https:\\\/\\\/x.com\\\/https:\\\/\\\/twitter.com\\\/ChrisGrundemann\",\"https:\\\/\\\/www.youtube.com\\\/channel\\\/UCJ3Pk4AAVMBG4KCzxYAtExA\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Open Source Network Security with Cumulus Linux ~ Chris Grundemann","description":"Networks are changing. More and more we\u2019re hearing terms like whitebox, britebox, disaggregation, NOS, commodity hardware, and open source when we talk about the future of networking. This begs the question: Is open source network security achievable?","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/chrisgrundemann.com\/index.php\/2018\/open-source-network-security-cumulus-linux\/","og_locale":"en_US","og_type":"article","og_title":"Open Source Network Security with Cumulus Linux ~ Chris Grundemann","og_description":"Networks are changing. More and more we\u2019re hearing terms like whitebox, britebox, disaggregation, NOS, commodity hardware, and open source when we talk about the future of networking. This begs the question: Is open source network security achievable?","og_url":"https:\/\/chrisgrundemann.com\/index.php\/2018\/open-source-network-security-cumulus-linux\/","og_site_name":"Chris Grundemann","article_author":"https:\/\/www.facebook.com\/chris.grundemann","article_published_time":"2018-06-02T14:01:39+00:00","article_modified_time":"2022-05-05T18:46:04+00:00","og_image":[{"width":999,"height":662,"url":"https:\/\/chrisgrundemann.com\/wp-content\/uploads\/2018\/06\/10854154014_5bb34a78f2_o.jpg","type":"image\/jpeg"}],"author":"~Chris","twitter_card":"summary_large_image","twitter_creator":"@https:\/\/twitter.com\/ChrisGrundemann","twitter_site":"@ChrisGrundemann","twitter_misc":{"Written by":"~Chris","Est. reading time":"15 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/chrisgrundemann.com\/index.php\/2018\/open-source-network-security-cumulus-linux\/#article","isPartOf":{"@id":"https:\/\/chrisgrundemann.com\/index.php\/2018\/open-source-network-security-cumulus-linux\/"},"author":{"name":"~Chris","@id":"https:\/\/chrisgrundemann.com\/#\/schema\/person\/16a6af2797267c7d91f29876d5a0870f"},"headline":"Open Source Network Security with Cumulus Linux","datePublished":"2018-06-02T14:01:39+00:00","dateModified":"2022-05-05T18:46:04+00:00","mainEntityOfPage":{"@id":"https:\/\/chrisgrundemann.com\/index.php\/2018\/open-source-network-security-cumulus-linux\/"},"wordCount":2951,"commentCount":2,"publisher":{"@id":"https:\/\/chrisgrundemann.com\/#organization"},"image":{"@id":"https:\/\/chrisgrundemann.com\/index.php\/2018\/open-source-network-security-cumulus-linux\/#primaryimage"},"thumbnailUrl":"https:\/\/chrisgrundemann.com\/wp-content\/uploads\/2018\/06\/10854154014_5bb34a78f2_o.jpg","keywords":["Cumulus","Cumulus Linux","infrastructure","network","network disaggregation","network engineer","network engineers","Network security","networking","Networks","Open","Open Source","open source code","open source software","proprietary software","Security","security flaws"],"articleSection":["Networking","Security","Technology"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/chrisgrundemann.com\/index.php\/2018\/open-source-network-security-cumulus-linux\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/chrisgrundemann.com\/index.php\/2018\/open-source-network-security-cumulus-linux\/","url":"https:\/\/chrisgrundemann.com\/index.php\/2018\/open-source-network-security-cumulus-linux\/","name":"Open Source Network Security with Cumulus Linux ~ Chris Grundemann","isPartOf":{"@id":"https:\/\/chrisgrundemann.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/chrisgrundemann.com\/index.php\/2018\/open-source-network-security-cumulus-linux\/#primaryimage"},"image":{"@id":"https:\/\/chrisgrundemann.com\/index.php\/2018\/open-source-network-security-cumulus-linux\/#primaryimage"},"thumbnailUrl":"https:\/\/chrisgrundemann.com\/wp-content\/uploads\/2018\/06\/10854154014_5bb34a78f2_o.jpg","datePublished":"2018-06-02T14:01:39+00:00","dateModified":"2022-05-05T18:46:04+00:00","description":"Networks are changing. More and more we\u2019re hearing terms like whitebox, britebox, disaggregation, NOS, commodity hardware, and open source when we talk about the future of networking. This begs the question: Is open source network security achievable?","breadcrumb":{"@id":"https:\/\/chrisgrundemann.com\/index.php\/2018\/open-source-network-security-cumulus-linux\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/chrisgrundemann.com\/index.php\/2018\/open-source-network-security-cumulus-linux\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/chrisgrundemann.com\/index.php\/2018\/open-source-network-security-cumulus-linux\/#primaryimage","url":"https:\/\/chrisgrundemann.com\/wp-content\/uploads\/2018\/06\/10854154014_5bb34a78f2_o.jpg","contentUrl":"https:\/\/chrisgrundemann.com\/wp-content\/uploads\/2018\/06\/10854154014_5bb34a78f2_o.jpg","width":999,"height":662,"caption":"Open Source Network Security"},{"@type":"BreadcrumbList","@id":"https:\/\/chrisgrundemann.com\/index.php\/2018\/open-source-network-security-cumulus-linux\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/chrisgrundemann.com\/"},{"@type":"ListItem","position":2,"name":"Security","item":"https:\/\/chrisgrundemann.com\/index.php\/category\/security\/"},{"@type":"ListItem","position":3,"name":"Open Source Network Security with Cumulus Linux"}]},{"@type":"WebSite","@id":"https:\/\/chrisgrundemann.com\/#website","url":"https:\/\/chrisgrundemann.com\/","name":"Chris Grundemann","description":"Use technology, marketing, and strategy to take your growing business to the next level.","publisher":{"@id":"https:\/\/chrisgrundemann.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/chrisgrundemann.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/chrisgrundemann.com\/#organization","name":"Grundemann Technology Solutions","url":"https:\/\/chrisgrundemann.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/chrisgrundemann.com\/#\/schema\/logo\/image\/","url":"https:\/\/chrisgrundemann.com\/wp-content\/uploads\/2020\/10\/cropped-GTS-Logo.png","contentUrl":"https:\/\/chrisgrundemann.com\/wp-content\/uploads\/2020\/10\/cropped-GTS-Logo.png","width":512,"height":512,"caption":"Grundemann Technology Solutions"},"image":{"@id":"https:\/\/chrisgrundemann.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/ChrisGrundemann","https:\/\/www.linkedin.com\/company\/grundemann","https:\/\/www.linkedin.com\/in\/cgrundemann\/","https:\/\/www.youtube.com\/channel\/UCJ3Pk4AAVMBG4KCzxYAtExA"]},{"@type":"Person","@id":"https:\/\/chrisgrundemann.com\/#\/schema\/person\/16a6af2797267c7d91f29876d5a0870f","name":"~Chris","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/cbff57968626714c5bdb525f740f898c0d1e506a63c350b6a3341e57337e7fc7?s=96&d=mm&r=pg","url":"https:\/\/secure.gravatar.com\/avatar\/cbff57968626714c5bdb525f740f898c0d1e506a63c350b6a3341e57337e7fc7?s=96&d=mm&r=pg","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/cbff57968626714c5bdb525f740f898c0d1e506a63c350b6a3341e57337e7fc7?s=96&d=mm&r=pg","caption":"~Chris"},"description":"Creative|Technologist. Curious. Boisterous. Autotelic Autodidact. Heretic. Hacker. Rider of Boards. Writer of Words. ...Traveler of Time...","sameAs":["https:\/\/chrisgrundemann.com","https:\/\/www.facebook.com\/chris.grundemann","http:\/\/instagram.com\/chrisgrundemann","www.linkedin.com\/in\/cgrundemann","https:\/\/x.com\/https:\/\/twitter.com\/ChrisGrundemann","https:\/\/www.youtube.com\/channel\/UCJ3Pk4AAVMBG4KCzxYAtExA"]}]}},"jetpack_featured_media_url":"https:\/\/chrisgrundemann.com\/wp-content\/uploads\/2018\/06\/10854154014_5bb34a78f2_o.jpg","jetpack_shortlink":"https:\/\/wp.me\/ps8ie-Ly","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/chrisgrundemann.com\/index.php\/wp-json\/wp\/v2\/posts\/2948","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/chrisgrundemann.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/chrisgrundemann.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/chrisgrundemann.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/chrisgrundemann.com\/index.php\/wp-json\/wp\/v2\/comments?post=2948"}],"version-history":[{"count":0,"href":"https:\/\/chrisgrundemann.com\/index.php\/wp-json\/wp\/v2\/posts\/2948\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/chrisgrundemann.com\/index.php\/wp-json\/wp\/v2\/media\/2949"}],"wp:attachment":[{"href":"https:\/\/chrisgrundemann.com\/index.php\/wp-json\/wp\/v2\/media?parent=2948"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/chrisgrundemann.com\/index.php\/wp-json\/wp\/v2\/categories?post=2948"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/chrisgrundemann.com\/index.php\/wp-json\/wp\/v2\/tags?post=2948"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}