Re: [fw-wiz] Proxy and Stateful together ??
From: Paul D. Robertson (proberts@patriot.net)
Date: 11/16/02
- Next message: Jean Caron: "[fw-wiz] Re: Proxy and Stateful together ??"
- Previous message: Bennett Todd: "Re: [fw-wiz] Proxy and Stateful together ??"
- In reply to: Bennett Todd: "Re: [fw-wiz] Proxy and Stateful together ??"
- Next in thread: Jean Caron: "[fw-wiz] Re: Proxy and Stateful together ??"
- Reply: Jean Caron: "[fw-wiz] Re: Proxy and Stateful together ??"
- Reply: Bennett Todd: "Re: [fw-wiz] Proxy and Stateful together ??"
- Reply: Bennett Todd: "Re: [fw-wiz] Proxy and Stateful together ??"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Paul D. Robertson" <proberts@patriot.net> To: Bennett Todd <bet@rahul.net> Date: Sat Nov 16 09:46:01 2002
On Fri, 15 Nov 2002, Bennett Todd wrote:
[Moderator's note: There have been lots of product recommendations, I
hope the original questioner will summarize them all for the list early
next week, so we don't have a flood of "I like $product" messages.
Vendors are encouraged to e-mail the original questioner directly should
they feel the requirements are met with their respective products.]
> 2002-11-15-10:19:51 Jean Caron:
> > I'd really like to find a true hybrid firewall doing both
> > Application Level Proxy and Stateful Packet Filtering, with the
> > flexibility of doing either or.
>
> My favourite bastion architecture!
>
> Pick open source base OS of choice; I happen to like Linux, but any
> of the *BSDs work as well. Use its builtin stateful packet
> filtering, mix and match however tastes best with an assortment of
> open source proxies of various sorts. Wherever possible use really
> well-written, tightly-secured, high-level application proxies. The
> gold standard of this sort would be, for SMTP, qmail and Postfix,
> and for DNS, djbdns. All the others are a step down.
>
> Given the difficulty finding really first-rack top quality secure
> application-layer proxies, I think SELinux is coming to be an
> exceedingly attractive platform for building these gizmos, since it
> offers some helpful tools for sandboxing less-perfectly-trusted
> daemons. I'd also be tempted to mix in some of the canary stuff from
> Immunix (StackGuard and all that).
I'm curious about why you'd chose SELinux over RSBAC given several things:
1. SELinux may end up patent encumbered from the DTE stuff.
2. RSBAC is much older and therefore has an easier to evaluate history.
3. RSBAC seems, at least on the face of it to be much easier to
administer.
4. Recent RSBAC kernels have a jail facility built right in.
5. The Goverment wasn't involved in RSBAC ;)
Would you mind sharing your rationale?
> Might park a snort on it while I was about it, too.
Hmmm, isn't that adding a level of bloatedness that's a bit extreme?
>
> The Olde Fashioned way to pull this off is of course to sandbox the
> less-trustworthy application proxies out in separate physical boxes
> out on DMZs. Nice if you can afford it:-).
>
> -Bennett
Thanks,
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts@patriot.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
- Next message: Jean Caron: "[fw-wiz] Re: Proxy and Stateful together ??"
- Previous message: Bennett Todd: "Re: [fw-wiz] Proxy and Stateful together ??"
- In reply to: Bennett Todd: "Re: [fw-wiz] Proxy and Stateful together ??"
- Next in thread: Jean Caron: "[fw-wiz] Re: Proxy and Stateful together ??"
- Reply: Jean Caron: "[fw-wiz] Re: Proxy and Stateful together ??"
- Reply: Bennett Todd: "Re: [fw-wiz] Proxy and Stateful together ??"
- Reply: Bennett Todd: "Re: [fw-wiz] Proxy and Stateful together ??"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
