Re: Proxy and Stateful together ??

["Paul D. Robertson" <proberts () patriot net>]

On Fri, 15 Nov 2002, Bennett Todd wrote:

[Moderator's note: There have been lots of product recommendations, I 
hope the original questioner will summarize them all for the list early 
next week, so we don't have a flood of "I like $product" messages.  
Vendors are encouraged to e-mail the original questioner directly should 
they feel the requirements are met with their respective products.]

> 2002-11-15-10:19:51 Jean Caron:
> > I'd really like to find a true hybrid firewall doing both
> > Application Level Proxy and Stateful Packet Filtering, with the
> > flexibility of doing either or.
>
> My favourite bastion architecture!
>
> Pick open source base OS of choice; I happen to like Linux, but any
> of the *BSDs work as well. Use its builtin stateful packet
> filtering, mix and match however tastes best with an assortment of
> open source proxies of various sorts. Wherever possible use really
> well-written, tightly-secured, high-level application proxies. The
> gold standard of this sort would be, for SMTP, qmail and Postfix,
> and for DNS, djbdns. All the others are a step down.
>
> Given the difficulty finding really first-rack top quality secure
> application-layer proxies, I think SELinux is coming to be an
> exceedingly attractive platform for building these gizmos, since it
> offers some helpful tools for sandboxing less-perfectly-trusted
> daemons. I'd also be tempted to mix in some of the canary stuff from
> Immunix (StackGuard and all that).

I'm curious about why you'd chose SELinux over RSBAC given several things:

1.  SELinux may end up patent encumbered from the DTE stuff.
2.  RSBAC is much older and therefore has an easier to evaluate history.
3.  RSBAC seems, at least on the face of it to be much easier to 
administer.
4.  Recent RSBAC kernels have a jail facility built right in.
5.  The Goverment wasn't involved in RSBAC ;)

Would you mind sharing your rationale?

> Might park a snort on it while I was about it, too.

Hmmm, isn't that adding a level of bloatedness that's a bit extreme?

> The Olde Fashioned way to pull this off is of course to sandbox the
> less-trustworthy application proxies out in separate physical boxes
> out on DMZs. Nice if you can afford it:-).
>
> -Bennett

Thanks,

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards