Re: [fw-wiz] Web server security?

From: Paul D. Robertson (paul_at_compuwar.net)
Date: 06/22/04

  • Next message: Ryan M. Ferris: "Re: [fw-wiz] Firewalls Compared"
    To: Crispin Cowan <crispin@immunix.com>
    Date: Tue, 22 Jun 2004 11:32:38 -0400 (EDT)
    
    

    On Tue, 22 Jun 2004, Crispin Cowan wrote:

    > Previously available only as a feature of Immunix OS, SubDomain is now
    > available as a stand-alone product for Linux 2.6 systems via the LSM
    > interface for pluggable security modules. In the near term, since
    > Immunix requires Linux 2.6, that means SuSE 9.1.

    FWIW, I tend to share most of Amon Ott's worries about LSM:

    http://www.rsbac.org/lsm.htm

    The two most salient points, IMO are:

    And the whole hook design is broken, because all kernel data gets exposed
    to any module that likes to register - what an invitation to root kit
    authors.

    and:

    When in the year 2000 the first common access control framework for all
    important then existing Linux kernel access control extensions was
    designed, people from LIDS, Medusa, SGI and RSBAC, as well as some other
    people, already solved most of these and some other important issues.
    Unfortunately, our design did not get the important impetus to prosper and
    died.

    The LSM project, lead mostly by different people (who had also been
    invited to our previous discussion), felt itself bound to Linus' order
    that security must not cost anything in performance, focused on single
    modules and, sorry to say that, mostly ignored the work done by the first
    approach.

    "Security can't cost performance!" and ignoring folks who've done the real
    hard work before have never been good traits for a project...

    Paul
    -----------------------------------------------------------------------------
    Paul D. Robertson "My statements in this message are personal opinions
    paul@compuwar.net which may have no basis whatsoever in fact."
    probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Ryan M. Ferris: "Re: [fw-wiz] Firewalls Compared"

    Relevant Pages

    • Re: LSM conversion to static interface
      ... than that provided by their Linux distributor. ... nothing to say on "using vendor linux kernels". ... this change forces users who want to use a different LSM than ...
      (Linux-Kernel)
    • [ANNOUNCE] ISSI is porting PitBull Foundation and LX to Linux using the LSM
      ... Innovative Security Systems is porting both our Foundation and LX ... discussions on the LSM we felt we should make our intentions known. ... We are currently working on the kernel modules required to support our ... Foundation product on Linux. ...
      (Linux-Kernel)
    • Re: Out of tree module using LSM
      ... static you called for LSM users to speak up. ... We here at Sophos (the fourth largest endpoint security vendor in the world) ... product for Linux that protects from viruses and malware hosted on Linux, ... Thanks for showing a wonderful source code example of why lsm shouldn't ...
      (Linux-Kernel)