Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: VM system for firewall use

From: "Kevin Sheldrake" <kev () electriccat co uk>
Date: Tue, 12 Oct 2004 08:28:35 +0100
Hello
I'd be very interested in discussing working SE Linux considerations and configurations. AFAIK it's a bit tricky to setup. I've got a background in DEC MLS+ and Trusted Solaris and can probably configure user space controls; it's the system level controls that I'm nervous about. When we did it (on MLS+), it was a case of 'guess the privs' and then add/subtract until the minimum working set was found. I'm sure there must be a better way; I admit I haven't done a lot of googling but as we were (almost) on the topic, I thought I'd ask the wizards. 

Kev



On Mon, 11 Oct 2004, ArkanoiD wrote:


nuqneH,

Looks like i am being forced into designing all-in-one box with extended
functionality, combining firewall and a buch of services i really don't like 
putting into firewall, but they say it's marketing demand ;-)


Yep, that's what they always say!



The serives are antispam/anitvirus filters/IDS corellator and so on.
I strongly decline running those in the same address space. So using
system call wrappers like FreeBSD jail is not sufficient. I'd prefer
BSD-like system, but only thing that does fit my needs seems to be
User Mode Linux. Are there other things worth detailed analysis?
boschs (if i remember the name correctly) has terrific performance overhead, 
vmware is proprietary..
RSBAC, SE Linux, or TrustedBSD if it's far enough along. MAC compartments 
are really nice for things like this, but jails aren't all that bad, the
jail should result in a different process address space if you're using a
different ID, shouldn't it- unless you're worried about the same kernel
address space-  if so, UML has to be run on a kernel with SKAS enabled to
negate that.

Unless the daemons need root access, that should be sufficient if you
keep up with kernel issues like syscall overflows and memory issues.
If they need root, then I'm not sure- other than perhaps removing the root 
requirement by setting capabilities (not sure if the BSDs have that, but
the Linux stuff does.)

Bochs is AFAIR, a CPU emulator, so you really don't want one of those if
you can help it.

There's the vserver stuff that seems to be relatively popular in the Web
hosting space, that may have some merit and is probably worth a peek.
Another question is inter-instanse communication. I need a kind of loopback interface to let components to talk to each other without allowing access 
to physical NIC when it is not required. Any hints?
Look at how Postfix does it with Unix domain sockets? If you look through 
the postfix-users archive, you may pick up some of the "why this is like
that" stuff that's priceless in terms of doing it right.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions 
paul () compuwar net       which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation 
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards






--
Kevin Sheldrake MEng MIEE CEng CISSP
Electric Cat (Bournemouth) Ltd

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: