Firewall Wizards mailing list archives
Re: VM system for firewall use
From: Crispin Cowan <crispin () immunix com>
Date: Thu, 14 Oct 2004 11:45:25 -0700
Christopher Hicks wrote:
On Tue, 12 Oct 2004, Paul D. Robertson wrote:I'm really unsure as to why a jail isn't enough though--I was thinking about this and I'm thinking JAILs plus MAC would provide a more winning solution than seperating things by using VMs.Scenario: a compartment gets compromised. If that compartment is in a JAIL/MAC environment then what that compromise can accomplish is effectively minimized. In the VM environment the compromise would compromise that entire VM and that VM could communicate with any other VM in any way it pleased.The JAIL/MAC version seems a lot less scary and catastrophic to me.
Immunix SubDomain is designed to attack precisely this problem space. SubDomain lets you specify for each program what files it can read, write, and execute.
* vs. VMs: a VM totally isolates a package. It has as much access to the rest of the machine as a remote network connection will permit. SubDomain lets programs have controlled interaction through the file system and local IPC. * vs. Chroot: a properly configured chroot, similar to a VM, only allows socket communications, and is less secure. * vs. SELinux: you can do the same sort of thing with SELinux as in SubDomain, but SELinux is more difficult to use. For instance, the program profile for wuftpd in SELinux is 4.5X larger than the profile for the same program in SubDomain. SubDomain is also faster, with an overhead of 2% vs. an overhead of 6-15% in SELinux, and huge overheads for VMs. Elsewhere, Kevin Sheldrake wrote:
I'd be very interested in discussing working SE Linux considerations and configurations. AFAIK it's a bit tricky to setup. I've got a background in DEC MLS+ and Trusted Solaris and can probably configure user space controls; it's the system level controls that I'm nervous about. When we did it (on MLS+), it was a case of 'guess the privs' and then add/subtract until the minimum working set was found. I'm sure there must be a better way; I admit I haven't done a lot of googling but as we were (almost) on the topic, I thought I'd ask the wizards.
Making this stuff easy to set up is what SubDomain does. I can demo creating a program profile for Apache in under 5 minutes, even while customers are watching :)
Thanks to the LSM (Linux Security Modules) <http://lsm.immunix.org/> feature now in Linux 2.6, SubDomain is available as a plug-in application that you can install on top of existing Linux system http://www.immunix.com/products/
Crispin -- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ CTO, Immunix http://immunix.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: VM system for firewall use, (continued)
- Re: VM system for firewall use ArkanoiD (Oct 12)
- Re: VM system for firewall use Paul D. Robertson (Oct 12)
- Message not available
- Message not available
- Re: VM system for firewall use ArkanoiD (Oct 12)
- Re: VM system for firewall use Paul D. Robertson (Oct 12)
- Re: VM system for firewall use Christopher Hicks (Oct 12)
- Re: VM system for firewall use Christopher Hicks (Oct 12)
- Re: VM system for firewall use Paul D. Robertson (Oct 12)
- Re: VM system for firewall use Marcus J. Ranum (Oct 12)
- Re: VM system for firewall use Bennett Todd (Oct 12)
- Re: VM system for firewall use Ng Pheng Siong (Oct 14)
- Re: VM system for firewall use Crispin Cowan (Oct 17)
- Re: VM system for firewall use Christian Kreibich (Oct 12)
- Re: VM system for firewall use Paul D. Robertson (Oct 12)
- Re: VM system for firewall use Paul D. Robertson (Oct 12)