Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: VM system for firewall use

From: ArkanoiD <ark () eltex net>
Date: Tue, 12 Oct 2004 18:15:53 +0400
On Tue, Oct 12, 2004 at 10:01:51AM -0400, Paul D. Robertson wrote:


I'm a big fan of MAC compartments, but the admin overhead can be no fun.
Fortunately, for your usage, you just have to define the policy once.


Yes, that's the point ;-)



I'm really unsure as to why a jail isn't enough though--

If the code runs on the firewall, and it is compromised, it's game over,
separation between processes just seems like it's not going to be all that
useful.


Why? If the code compromised is, say, content filter that has no access to
real hardware, just runs on virtual disk drive and talks to a kind of looback
interface to other components, the impact is just malicious user may 
bypass this particular filter, and nothing more (there are more dangers
in real world since if it was taken over there are more attacks to other 
components accessible from this point, but that risk can be minimized as well)


 Now, if you get MAC down into the network later, and don't allow
the less-trusted code access to the internal interface,


Sure!


then *that* gets
interesting, but virtualizing the less-trusted code just seems to me like
it doesn't gain all that much if you can gain root (jails seem to help
with that problem?)

[1]Yes, MAC on a Mac is not going to be fun to talk about without
confusing
folks.


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: