[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewall-wizards
Subject:    Re: [fw-wiz] VM system for firewall use
From:       "Paul D. Robertson" <paul () compuwar ! net>
Date:       2004-10-11 20:31:41
Message-ID: Pine.LNX.4.58.0410111558240.32056 () bat ! clueby4 ! org
[Download RAW message or body]

On Mon, 11 Oct 2004, ArkanoiD wrote:

> nuqneH,
>
> Looks like i am being forced into designing all-in-one box with extended
> functionality, combining firewall and a buch of services i really don't like
> putting into firewall, but they say it's marketing demand ;-)

Yep, that's what they always say!

>
> The serives are antispam/anitvirus filters/IDS corellator and so on.
> I strongly decline running those in the same address space. So using
> system call wrappers like FreeBSD jail is not sufficient. I'd prefer
> BSD-like system, but only thing that does fit my needs seems to be
> User Mode Linux. Are there other things worth detailed analysis?
> boschs (if i remember the name correctly) has terrific performance overhead,
> vmware is proprietary..

RSBAC, SE Linux, or TrustedBSD if it's far enough along.  MAC compartments
are really nice for things like this, but jails aren't all that bad, the
jail should result in a different process address space if you're using a
different ID, shouldn't it- unless you're worried about the same kernel
address space-  if so, UML has to be run on a kernel with SKAS enabled to
negate that.

Unless the daemons need root access, that should be sufficient if you
keep up with kernel issues like syscall overflows and memory issues.

If they need root, then I'm not sure- other than perhaps removing the root
requirement by setting capabilities (not sure if the BSDs have that, but
the Linux stuff does.)

Bochs is AFAIR, a CPU emulator, so you really don't want one of those if
you can help it.

There's the vserver stuff that seems to be relatively popular in the Web
hosting space, that may have some merit and is probably worth a peek.

> Another question is inter-instanse communication. I need a kind of loopback
> interface to let components to talk to each other without allowing access
> to physical NIC when it is not required. Any hints?

Look at how Postfix does it with Unix domain sockets?  If you look through
the postfix-users archive, you may pick up some of the "why this is like
that" stuff that's priceless in terms of doing it right.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul@compuwar.net       which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic