[prev in list] [next in list] [prev in thread] [next in thread]
List: firewall-wizards
Subject: Re: [fw-wiz] VM system for firewall use
From: Crispin Cowan <crispin () immunix ! com>
Date: 2004-10-14 18:45:25
Message-ID: 416EC945.108 () immunix ! com
[Download RAW message or body]
Christopher Hicks wrote:
> On Tue, 12 Oct 2004, Paul D. Robertson wrote:
>
>> I'm really unsure as to why a jail isn't enough though--
>
>
> I was thinking about this and I'm thinking JAILs plus MAC would
> provide a more winning solution than seperating things by using VMs.
>
> Scenario: a compartment gets compromised. If that compartment is in a
> JAIL/MAC environment then what that compromise can accomplish is
> effectively minimized. In the VM environment the compromise would
> compromise that entire VM and that VM could communicate with any other
> VM in any way it pleased.
>
> The JAIL/MAC version seems a lot less scary and catastrophic to me.
Immunix SubDomain is designed to attack precisely this problem space.
SubDomain lets you specify for each program what files it can read,
write, and execute.
* vs. VMs: a VM totally isolates a package. It has as much access to
the rest of the machine as a remote network connection will
permit. SubDomain lets programs have controlled interaction
through the file system and local IPC.
* vs. Chroot: a properly configured chroot, similar to a VM, only
allows socket communications, and is less secure.
* vs. SELinux: you can do the same sort of thing with SELinux as in
SubDomain, but SELinux is more difficult to use. For instance, the
program profile for wuftpd in SELinux is 4.5X larger than the
profile for the same program in SubDomain. SubDomain is also
faster, with an overhead of 2% vs. an overhead of 6-15% in
SELinux, and huge overheads for VMs.
Elsewhere, Kevin Sheldrake wrote:
> I'd be very interested in discussing working SE Linux considerations
> and configurations. AFAIK it's a bit tricky to setup. I've got a
> background in DEC MLS+ and Trusted Solaris and can probably configure
> user space controls; it's the system level controls that I'm nervous
> about. When we did it (on MLS+), it was a case of 'guess the privs'
> and then add/subtract until the minimum working set was found. I'm
> sure there must be a better way; I admit I haven't done a lot of
> googling but as we were (almost) on the topic, I thought I'd ask the
> wizards.
Making this stuff easy to set up is what SubDomain does. I can demo
creating a program profile for Apache in under 5 minutes, even while
customers are watching :)
Thanks to the LSM (Linux Security Modules) <http://lsm.immunix.org/>
feature now in Linux 2.6, SubDomain is available as a plug-in
application that you can install on top of existing Linux system
http://www.immunix.com/products/
Crispin
--
Crispin Cowan, Ph.D. http://immunix.com/~crispin/
CTO, Immunix http://immunix.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic