[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewall-wizards
Subject:    Re: [fw-wiz] VM system for firewall use
From:       "Marcus J. Ranum" <mjr () ranum ! com>
Date:       2004-10-12 17:53:28
Message-ID: 6.1.2.0.2.20041012124706.02a5aec0 () pop ! ranum ! com
[Download RAW message or body]

Paul D. Robertson wrote:
>> I was thinking about this and I'm thinking JAILs plus MAC would provide a
>> more winning solution than seperating things by using VMs.
>
>I'm leaning that way as well, though it seems non-intuitive on the
>surface.

The premise of MAC is that you're building an environmet where
Bad Guys/Processes might co-exist with Good Guys/Processes,
and you want to keep them from interfering with eachother. I think
that's great but the main premise of MLS is usually that you're
still offering a general purpose computing enviornment. For building
a security server,  I think that's probably the first assumption to
trash. Don't follow the usual mantra of "minimization" by taking
off unnecessary stuff, etc. Invert the process and do a "zero build"
configuration. Install only the absolute minimum of stuff necessary to
get the machine to boot and start your program(s). Leave out the
shell, 90% of /dev, all of /bin, /etc, etc. Leave out /etc/passwd
because you don't have /bin/login, or sshd or any of that crud.
THEN you can start thinking about MAC. Layering MAC on top
of a general purpose O/S is just attempting to polish a t*rd.

If you assume that a Bad Guy gets into your device, the main
value of minimization is reducing the likelihood that the tool(s)
he needs will be there. You're also increasing the likelihood that
he'll trip himself up over something weird or previously unknown
about your setup. That's a good further argument for using MAC
instead of a VM. If he can get into the VM it's more likely he
knows what he's dealing with. MAC is confusing to Bad Guys.
MAC is confusing to Good Guys. MAC is an equal opportunity
confusticator. :)  I'd go with a zero build and then think about
layering MAC into it as an exercise in overkill, if I really needed
the overkill.

mjr.  

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic