Re: [fw-wiz] VM system for firewall use
From: Paul D. Robertson (paul_at_compuwar.net)
Date: 10/12/04
- Previous message: Christopher Hicks: "Re: [fw-wiz] VM system for firewall use"
- In reply to: Christopher Hicks: "Re: [fw-wiz] VM system for firewall use"
- Next in thread: Marcus J. Ranum: "Re: [fw-wiz] VM system for firewall use"
- Reply: Marcus J. Ranum: "Re: [fw-wiz] VM system for firewall use"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Christopher Hicks <chicks@chicks.net> Date: Tue, 12 Oct 2004 11:17:40 -0400 (EDT)
On Tue, 12 Oct 2004, Christopher Hicks wrote:
> On Tue, 12 Oct 2004, Paul D. Robertson wrote:
> > I'm really unsure as to why a jail isn't enough though--
>
> I was thinking about this and I'm thinking JAILs plus MAC would provide a
> more winning solution than seperating things by using VMs.
I'm leaning that way as well, though it seems non-intuitive on the
surface.
> Scenario: a compartment gets compromised. If that compartment is in a
> JAIL/MAC environment then what that compromise can accomplish is
> effectively minimized. In the VM environment the compromise would
> compromise that entire VM and that VM could communicate with any other VM
> in any way it pleased.
More importantly (I think) the data objects in a MAC environment never
lose their label, and therefore enforcement is the same over all
things that would be VMs- if that includes things like executability, or
if it includes compartments for devices, the boundaries are held no matter
what happens, so there's less chance for malice (depending on policy and
design) than with some sort of one-off inter-VM communication system.
> The JAIL/MAC version seems a lot less scary and catastrophic to me.
>
> Am I missing something here?
I'm not sure jail is even necessary with the right MAC modules and
capability stuff turned on. If you have the partition module and the
seeotheruids module loaded, I'm not sure that jail gives you much.
More importantly, VMs don't scale well if you have lots of processes to
protect from one another, MAC seems to.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Christopher Hicks: "Re: [fw-wiz] VM system for firewall use"
- In reply to: Christopher Hicks: "Re: [fw-wiz] VM system for firewall use"
- Next in thread: Marcus J. Ranum: "Re: [fw-wiz] VM system for firewall use"
- Reply: Marcus J. Ranum: "Re: [fw-wiz] VM system for firewall use"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
