[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewall-wizards
Subject:    Re: [fw-wiz] VM system for firewall use
From:       "Paul D. Robertson" <paul () compuwar ! net>
Date:       2004-10-12 14:01:51
Message-ID: Pine.LNX.4.58.0410120955410.11205 () bat ! clueby4 ! org
[Download RAW message or body]

On Tue, 12 Oct 2004, ArkanoiD wrote:

> nuqneH,
>
> Do you think Xen/TrustedBSD combo is viable solution or there is no good
> reason to build such a monster?

I've never seen Xen, so I don't know if it's production quality.
TrustedBSD is on my list of things to investigate [strong rumor] since
I've heard that Apple's Tiger release will include pieces of Trusted Mach
and TrustedBSD and their direction moving forward is to integrate more and
more.[/strong rumor][1]

I'm a big fan of MAC compartments, but the admin overhead can be no fun.
Fortunately, for your usage, you just have to define the policy once.

I'm really unsure as to why a jail isn't enough though--

If the code runs on the firewall, and it is compromised, it's game over,
separation between processes just seems like it's not going to be all that
useful.  Now, if you get MAC down into the network later, and don't allow
the less-trusted code access to the internal interface, then *that* gets
interesting, but virtualizing the less-trusted code just seems to me like
it doesn't gain all that much if you can gain root (jails seem to help
with that problem?)

[1]Yes, MAC on a Mac is not going to be fun to talk about without
confusing
folks.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul@compuwar.net       which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic