Re: [fw-wiz] Web server security?

From: Paul D. Robertson (paul_at_compuwar.net)
Date: 06/22/04

  • Next message: Ryan M. Ferris: "Re: [fw-wiz] Firewalls Compared"
    To: Crispin Cowan <crispin@immunix.com>
    Date: Tue, 22 Jun 2004 11:32:38 -0400 (EDT)
    
    

    On Tue, 22 Jun 2004, Crispin Cowan wrote:

    > Previously available only as a feature of Immunix OS, SubDomain is now
    > available as a stand-alone product for Linux 2.6 systems via the LSM
    > interface for pluggable security modules. In the near term, since
    > Immunix requires Linux 2.6, that means SuSE 9.1.

    FWIW, I tend to share most of Amon Ott's worries about LSM:

    http://www.rsbac.org/lsm.htm

    The two most salient points, IMO are:

    And the whole hook design is broken, because all kernel data gets exposed
    to any module that likes to register - what an invitation to root kit
    authors.

    and:

    When in the year 2000 the first common access control framework for all
    important then existing Linux kernel access control extensions was
    designed, people from LIDS, Medusa, SGI and RSBAC, as well as some other
    people, already solved most of these and some other important issues.
    Unfortunately, our design did not get the important impetus to prosper and
    died.

    The LSM project, lead mostly by different people (who had also been
    invited to our previous discussion), felt itself bound to Linus' order
    that security must not cost anything in performance, focused on single
    modules and, sorry to say that, mostly ignored the work done by the first
    approach.

    "Security can't cost performance!" and ignoring folks who've done the real
    hard work before have never been good traits for a project...

    Paul
    -----------------------------------------------------------------------------
    Paul D. Robertson "My statements in this message are personal opinions
    paul@compuwar.net which may have no basis whatsoever in fact."
    probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Ryan M. Ferris: "Re: [fw-wiz] Firewalls Compared"