Firewall Wizards mailing list archives
Re: VM system for firewall use
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Tue, 12 Oct 2004 13:53:28 -0400
Paul D. Robertson wrote:
I was thinking about this and I'm thinking JAILs plus MAC would provide a more winning solution than seperating things by using VMs.I'm leaning that way as well, though it seems non-intuitive on the surface.
The premise of MAC is that you're building an environmet where Bad Guys/Processes might co-exist with Good Guys/Processes, and you want to keep them from interfering with eachother. I think that's great but the main premise of MLS is usually that you're still offering a general purpose computing enviornment. For building a security server, I think that's probably the first assumption to trash. Don't follow the usual mantra of "minimization" by taking off unnecessary stuff, etc. Invert the process and do a "zero build" configuration. Install only the absolute minimum of stuff necessary to get the machine to boot and start your program(s). Leave out the shell, 90% of /dev, all of /bin, /etc, etc. Leave out /etc/passwd because you don't have /bin/login, or sshd or any of that crud. THEN you can start thinking about MAC. Layering MAC on top of a general purpose O/S is just attempting to polish a t*rd. If you assume that a Bad Guy gets into your device, the main value of minimization is reducing the likelihood that the tool(s) he needs will be there. You're also increasing the likelihood that he'll trip himself up over something weird or previously unknown about your setup. That's a good further argument for using MAC instead of a VM. If he can get into the VM it's more likely he knows what he's dealing with. MAC is confusing to Bad Guys. MAC is confusing to Good Guys. MAC is an equal opportunity confusticator. :) I'd go with a zero build and then think about layering MAC into it as an exercise in overkill, if I really needed the overkill. mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: VM system for firewall use, (continued)
- Re: VM system for firewall use Paul D. Robertson (Oct 11)
- Re: VM system for firewall use ArkanoiD (Oct 12)
- Re: VM system for firewall use Paul D. Robertson (Oct 12)
- Re: VM system for firewall use ArkanoiD (Oct 12)
- Re: VM system for firewall use Paul D. Robertson (Oct 12)
- Message not available
- Message not available
- Re: VM system for firewall use ArkanoiD (Oct 12)
- Re: VM system for firewall use Paul D. Robertson (Oct 12)
- Re: VM system for firewall use ArkanoiD (Oct 12)
- Re: VM system for firewall use Paul D. Robertson (Oct 11)
- Re: VM system for firewall use Christopher Hicks (Oct 12)
- Re: VM system for firewall use Christopher Hicks (Oct 12)
- Re: VM system for firewall use Paul D. Robertson (Oct 12)
- Re: VM system for firewall use Marcus J. Ranum (Oct 12)
- Re: VM system for firewall use Bennett Todd (Oct 12)
- Re: VM system for firewall use Ng Pheng Siong (Oct 14)
- Re: VM system for firewall use Crispin Cowan (Oct 17)
- Re: VM system for firewall use Christian Kreibich (Oct 12)
- Re: VM system for firewall use Paul D. Robertson (Oct 12)
- Re: VM system for firewall use Paul D. Robertson (Oct 12)