[prev in list] [next in list] [prev in thread] [next in thread]
List: firewall-wizards
Subject: Re: [fw-wiz] VM system for firewall use
From: "Kevin Sheldrake" <kev () electriccat ! co ! uk>
Date: 2004-10-12 7:28:35
Message-ID: opsfqxpxiyyl48zk () wintony
[Download RAW message or body]
Hello
I'd be very interested in discussing working SE Linux considerations and
configurations. AFAIK it's a bit tricky to setup. I've got a background
in DEC MLS+ and Trusted Solaris and can probably configure user space
controls; it's the system level controls that I'm nervous about. When we
did it (on MLS+), it was a case of 'guess the privs' and then add/subtract
until the minimum working set was found. I'm sure there must be a better
way; I admit I haven't done a lot of googling but as we were (almost) on
the topic, I thought I'd ask the wizards.
Kev
> On Mon, 11 Oct 2004, ArkanoiD wrote:
>
>> nuqneH,
>>
>> Looks like i am being forced into designing all-in-one box with extended
>> functionality, combining firewall and a buch of services i really don't
>> like
>> putting into firewall, but they say it's marketing demand ;-)
>
> Yep, that's what they always say!
>
>>
>> The serives are antispam/anitvirus filters/IDS corellator and so on.
>> I strongly decline running those in the same address space. So using
>> system call wrappers like FreeBSD jail is not sufficient. I'd prefer
>> BSD-like system, but only thing that does fit my needs seems to be
>> User Mode Linux. Are there other things worth detailed analysis?
>> boschs (if i remember the name correctly) has terrific performance
>> overhead,
>> vmware is proprietary..
>
> RSBAC, SE Linux, or TrustedBSD if it's far enough along. MAC
> compartments
> are really nice for things like this, but jails aren't all that bad, the
> jail should result in a different process address space if you're using a
> different ID, shouldn't it- unless you're worried about the same kernel
> address space- if so, UML has to be run on a kernel with SKAS enabled to
> negate that.
>
> Unless the daemons need root access, that should be sufficient if you
> keep up with kernel issues like syscall overflows and memory issues.
>
> If they need root, then I'm not sure- other than perhaps removing the
> root
> requirement by setting capabilities (not sure if the BSDs have that, but
> the Linux stuff does.)
>
> Bochs is AFAIR, a CPU emulator, so you really don't want one of those if
> you can help it.
>
> There's the vserver stuff that seems to be relatively popular in the Web
> hosting space, that may have some merit and is probably worth a peek.
>
>> Another question is inter-instanse communication. I need a kind of
>> loopback
>> interface to let components to talk to each other without allowing
>> access
>> to physical NIC when it is not required. Any hints?
>
> Look at how Postfix does it with Unix domain sockets? If you look
> through
> the postfix-users archive, you may pick up some of the "why this is like
> that" stuff that's priceless in terms of doing it right.
>
> Paul
> -----------------------------------------------------------------------------
> Paul D. Robertson "My statements in this message are personal
> opinions
> paul@compuwar.net which may have no basis whatsoever in fact."
> probertson@trusecure.com Director of Risk Assessment TruSecure
> Corporation
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
--
Kevin Sheldrake MEng MIEE CEng CISSP
Electric Cat (Bournemouth) Ltd
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic