Firewall Wizards mailing list archives
Re: VM system for firewall use
From: ArkanoiD <ark () eltex net>
Date: Tue, 12 Oct 2004 19:19:15 +0400
On Tue, Oct 12, 2004 at 11:05:18AM -0400, Paul D. Robertson wrote:
Say, i have a proxy that forwards data from one network interface to another. It does some simple structure parsing and then passes content via a kind of "controlled loopback" to an inspection service, that runs in virtual environment where no network interfaces except "controlled loopback" exist, no disk drives except virtual drive it runs on, and no other hardware except CPU and private address space. So if the filter is compromised, an attacker may use it to try to compromise the proxy it talks to or to compromise the virtual machine itself - there is just nothing more it can see and touch.The issues here are: 1. The filter gets all data anyway, so all data going through the proxy is immediately subject to compromise (i.e. the filter can pass back *anything* to compromise an internal machine (say send the next IE browser a GDI exploit?) and the internal systems talk to the proxy.
No, the proxy is not at all that dumb to get data from the filter back and to use it blindly. Its iterface to filter is restricted; filter may be not allowed to modify content at all - just instruct proxy with simple actions. That's a design issue i should keep in mind.
2. The virtualization must be complete and not contain errors. Kernel bugs *may* allow access to enough of the virtual machine's support environment to compromise it unless it's well-written. This includes the address space the virtualization environment shares with the real OS to talk via the controlled loopback interface.
Yes.
there's something to be said for putting in as much protection as possible anyway- I'm just not sure the trade-offs will be all that good.Maybe it does worth trying to combine that methods.. Will have to figure out how ;-)I'm just happy to see how far along TrustedBSD is- I hadn't looked in a while, and there's more than enough there to spend a *lot* of time on!
I think i will use it, will see.. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- VM system for firewall use ArkanoiD (Oct 11)
- Re: VM system for firewall use Bennett Todd (Oct 11)
- Re: VM system for firewall use John Babwell (Oct 11)
- Re: VM system for firewall use Paul D. Robertson (Oct 11)
- Re: VM system for firewall use ArkanoiD (Oct 12)
- Re: VM system for firewall use Paul D. Robertson (Oct 12)
- Re: VM system for firewall use ArkanoiD (Oct 12)
- Re: VM system for firewall use Paul D. Robertson (Oct 12)
- Message not available
- Message not available
- Re: VM system for firewall use ArkanoiD (Oct 12)
- Re: VM system for firewall use Paul D. Robertson (Oct 12)
- Re: VM system for firewall use ArkanoiD (Oct 12)
- Re: VM system for firewall use Christopher Hicks (Oct 12)
- Re: VM system for firewall use Christopher Hicks (Oct 12)
- Re: VM system for firewall use Paul D. Robertson (Oct 12)
- Re: VM system for firewall use Marcus J. Ranum (Oct 12)
- Re: VM system for firewall use Bennett Todd (Oct 12)
- Re: VM system for firewall use Ng Pheng Siong (Oct 14)
- Re: VM system for firewall use Crispin Cowan (Oct 17)
- Re: VM system for firewall use Christian Kreibich (Oct 12)