Re: [fw-wiz] Proxy and Stateful together ??

From: Crispin Cowan (crispin@wirex.com)
Date: 11/16/02

• Next message: Mikael Olsson: "Re: [fw-wiz] segmentation of DMZs"
• Previous message: david singleton: "[fw-wiz] Need white paper on firewall comparision"
• In reply to: Bennett Todd: "Re: [fw-wiz] Proxy and Stateful together ??"
• Next in thread: Chris Hedemark: "Re: [fw-wiz] Proxy and Stateful together ?? OpenBSD"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Crispin Cowan <crispin@wirex.com>
To: Bennett Todd <bet@rahul.net>
Date: Sat Nov 16 18:48:30 2002

Bennett Todd wrote:

>Given the difficulty finding really first-rack top quality secure
>application-layer proxies, I think SELinux is coming to be an
>exceedingly attractive platform for building these gizmos, since it
>offers some helpful tools for sandboxing less-perfectly-trusted
>daemons. I'd also be tempted to mix in some of the canary stuff from
>Immunix (StackGuard and all that).
>
Immunix was designed to build these kinds of secure appliances. Our
SubDomain feature does the same kind of sandboxing that SELinux does,
but the sandboxing abstraction is much simpler:

    * SELinux: general purpose framework for mandatory access control
      (MAC) including features such as role-based access control (RBAC).
    * SubDomain: appliance-oriented MAC that lets you specify the file
      access that should be granted to each program.

SubDomain's simplicity makes it faster and easier to profile
applications. This allowed us to very quickly profile a bunch of highly
vulnerable and undocumented applications and CGI scripts in the 2002
Defcon Capture-the-Flag game http://news.com.com/2100-1001-948404.html

Crispin

-- 
Crispin Cowan, Ph.D.
Chief Scientist, WireX                      http://wirex.com/~crispin/
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html
			    Just say ".Nyet"

• application/pgp-signature attachment: stored

• Next message: Mikael Olsson: "Re: [fw-wiz] segmentation of DMZs"
• Previous message: david singleton: "[fw-wiz] Need white paper on firewall comparision"
• In reply to: Bennett Todd: "Re: [fw-wiz] Proxy and Stateful together ??"
• Next in thread: Chris Hedemark: "Re: [fw-wiz] Proxy and Stateful together ?? OpenBSD"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: XP Roaming Profile Issue ... This behavior is because the applications are installed either by another ... The profile ships up and down to the ... > For example if they sit at a newly imaged machine and installs all their ... > with the user and is poulated with the respective application settings. ... (microsoft.public.win2000.active_directory) Re: [RFC][PATCH 3/6] SLIM main patch ... currently available in selinux. ... just to support this one model. ... applications seem to do a fixed set of operations in a fixed domain, ... So I will not be able to print my private key? ... (Linux-Kernel) Re: Pull report with or without relationships ... >My customer wants the report to show the Employee Profile with applications ... >if applications exisit OR the Profile alone. ... default join for any new query you create using these two ... (microsoft.public.access.formscoding) Re: C++ inlining as a multithreading optimization tecnique? ... > If we have to work with applications in which threads aren't I/O ... > My opinion is that we could use inline as a mechanism to improve contex ... Restoring a thread ... The only answer that we can give is profile, profile, profile. ... (comp.lang.cpp) Re: Start up in XP Pro ... For user logon applications are managed by the profile ... profile under documents and settings. ... > depending on what config you wanted. ... (microsoft.public.windowsxp.security_admin)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint