Firewall Wizards mailing list archives
Re: VM system for firewall use
From: "Kevin Sheldrake" <kev () electriccat co uk>
Date: Tue, 12 Oct 2004 08:28:35 +0100
HelloI'd be very interested in discussing working SE Linux considerations and configurations. AFAIK it's a bit tricky to setup. I've got a background in DEC MLS+ and Trusted Solaris and can probably configure user space controls; it's the system level controls that I'm nervous about. When we did it (on MLS+), it was a case of 'guess the privs' and then add/subtract until the minimum working set was found. I'm sure there must be a better way; I admit I haven't done a lot of googling but as we were (almost) on the topic, I thought I'd ask the wizards.
Kev
On Mon, 11 Oct 2004, ArkanoiD wrote:nuqneH, Looks like i am being forced into designing all-in-one box with extendedfunctionality, combining firewall and a buch of services i really don't likeputting into firewall, but they say it's marketing demand ;-)Yep, that's what they always say!The serives are antispam/anitvirus filters/IDS corellator and so on. I strongly decline running those in the same address space. So using system call wrappers like FreeBSD jail is not sufficient. I'd prefer BSD-like system, but only thing that does fit my needs seems to be User Mode Linux. Are there other things worth detailed analysis?boschs (if i remember the name correctly) has terrific performance overhead,vmware is proprietary..RSBAC, SE Linux, or TrustedBSD if it's far enough along. MAC compartmentsare really nice for things like this, but jails aren't all that bad, the jail should result in a different process address space if you're using a different ID, shouldn't it- unless you're worried about the same kernel address space- if so, UML has to be run on a kernel with SKAS enabled to negate that. Unless the daemons need root access, that should be sufficient if you keep up with kernel issues like syscall overflows and memory issues.If they need root, then I'm not sure- other than perhaps removing the rootrequirement by setting capabilities (not sure if the BSDs have that, but the Linux stuff does.) Bochs is AFAIR, a CPU emulator, so you really don't want one of those if you can help it. There's the vserver stuff that seems to be relatively popular in the Web hosting space, that may have some merit and is probably worth a peek.Another question is inter-instanse communication. I need a kind of loopback interface to let components to talk to each other without allowing accessto physical NIC when it is not required. Any hints?Look at how Postfix does it with Unix domain sockets? If you look throughthe postfix-users archive, you may pick up some of the "why this is like that" stuff that's priceless in terms of doing it right. Paul -----------------------------------------------------------------------------Paul D. Robertson "My statements in this message are personal opinionspaul () compuwar net which may have no basis whatsoever in fact."probertson () trusecure com Director of Risk Assessment TruSecure Corporation_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
-- Kevin Sheldrake MEng MIEE CEng CISSP Electric Cat (Bournemouth) Ltd _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: VM system for firewall use, (continued)
- Re: VM system for firewall use Christopher Hicks (Oct 12)
- Re: VM system for firewall use Christopher Hicks (Oct 12)
- Re: VM system for firewall use Paul D. Robertson (Oct 12)
- Re: VM system for firewall use Marcus J. Ranum (Oct 12)
- Re: VM system for firewall use Bennett Todd (Oct 12)
- Re: VM system for firewall use Ng Pheng Siong (Oct 14)
- Re: VM system for firewall use Crispin Cowan (Oct 17)
- Re: VM system for firewall use Christian Kreibich (Oct 12)
- Re: VM system for firewall use Paul D. Robertson (Oct 12)
- Re: VM system for firewall use Paul D. Robertson (Oct 12)