[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewall-wizards
Subject:    Re: [fw-wiz] VM system for firewall use
From:       ArkanoiD <ark () eltex ! net>
Date:       2004-10-12 14:15:53
Message-ID: 20041012181553.A16998 () eltex ! net
[Download RAW message or body]

On Tue, Oct 12, 2004 at 10:01:51AM -0400, Paul D. Robertson wrote:

> I'm a big fan of MAC compartments, but the admin overhead can be no fun.
> Fortunately, for your usage, you just have to define the policy once.

Yes, that's the point ;-)

> 
> I'm really unsure as to why a jail isn't enough though--
> 
> If the code runs on the firewall, and it is compromised, it's game over,
> separation between processes just seems like it's not going to be all that
> useful.

Why? If the code compromised is, say, content filter that has no access to
real hardware, just runs on virtual disk drive and talks to a kind of looback
interface to other components, the impact is just malicious user may 
bypass this particular filter, and nothing more (there are more dangers
in real world since if it was taken over there are more attacks to other 
components accessible from this point, but that risk can be minimized as well)

>  Now, if you get MAC down into the network later, and don't allow
> the less-trusted code access to the internal interface,

Sure!

> then *that* gets
> interesting, but virtualizing the less-trusted code just seems to me like
> it doesn't gain all that much if you can gain root (jails seem to help
> with that problem?)
> 
> [1]Yes, MAC on a Mac is not going to be fun to talk about without
> confusing
> folks.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
[prev in list] [next in list] [prev in thread] [next in thread]