OPNsense Forum
English Forums => Development and Code Review => Topic started by: ky41083 on March 06, 2018, 01:32:36 am
-
Either as an optional plugin, or adding it as part of the base install, I think this would bring a lot to the table, security (and performance) wise...
This daemon generates an impressive amount of unpredictable and unmonitorable entropy, at an even more impressive load (or lack of it) on the system. In all cases, it ends up being significantly more efficient, and produces significantly better entropy (more unique randomness), than the stock kernel RNG.
It does this by reading internal volatile hardware states. This translates to having equally high speed and quality entropy, on both physical and virtual instances. These hardware states are virtualized by all hypervisors, and so give virtual machines even more benefit, as virtual hardware has notoriously poorer entropy, than physical hardware, using traditional RNG's.
Benefits (especially on virtual instances), off the top of my head:
- All security certs generated become much more secure (SA, Server, User, Web, etc. certificates)
- Any process that waits for a specific amount of unique entropy before starting / continuing
- Reducing random delays and pauses for the entire system, when entropy is needed
- Enhancing the security of all systems using encryption (Web server, IPSEC, OpenVPN, SSH, HTTPS, etc.)
Many, many more...
A very large number of cloud based hosting providers are recommending this be installed in virtual instances.
Some specific software packages recommend this be installed when using virtual instances, especially where web servers / crypto / entropy is involved (ie Ubiquiti UniFi), clearing up service start delays, usage delays, etc.
Some other BYOD firewall's / UTM's already use haveged, ie Sophos UTM.
http://www.issihosts.com/haveged/
http://www.irisa.fr/caps/projects/hipsor/