Re: [fw-wiz] VM system for firewall use

From: Paul D. Robertson (paul_at_compuwar.net)
Date: 10/12/04

  • Next message: ArkanoiD: "Re: [fw-wiz] VM system for firewall use"
    To: Christopher Hicks <chicks@chicks.net>
    Date: Tue, 12 Oct 2004 11:17:40 -0400 (EDT)
    
    

    On Tue, 12 Oct 2004, Christopher Hicks wrote:

    > On Tue, 12 Oct 2004, Paul D. Robertson wrote:
    > > I'm really unsure as to why a jail isn't enough though--
    >
    > I was thinking about this and I'm thinking JAILs plus MAC would provide a
    > more winning solution than seperating things by using VMs.

    I'm leaning that way as well, though it seems non-intuitive on the
    surface.

    > Scenario: a compartment gets compromised. If that compartment is in a
    > JAIL/MAC environment then what that compromise can accomplish is
    > effectively minimized. In the VM environment the compromise would
    > compromise that entire VM and that VM could communicate with any other VM
    > in any way it pleased.

    More importantly (I think) the data objects in a MAC environment never
    lose their label, and therefore enforcement is the same over all
    things that would be VMs- if that includes things like executability, or
    if it includes compartments for devices, the boundaries are held no matter
    what happens, so there's less chance for malice (depending on policy and
    design) than with some sort of one-off inter-VM communication system.

    > The JAIL/MAC version seems a lot less scary and catastrophic to me.
    >
    > Am I missing something here?

    I'm not sure jail is even necessary with the right MAC modules and
    capability stuff turned on. If you have the partition module and the
    seeotheruids module loaded, I'm not sure that jail gives you much.

    More importantly, VMs don't scale well if you have lots of processes to
    protect from one another, MAC seems to.

    Paul
    -----------------------------------------------------------------------------
    Paul D. Robertson "My statements in this message are personal opinions
    paul@compuwar.net which may have no basis whatsoever in fact."
    probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: ArkanoiD: "Re: [fw-wiz] VM system for firewall use"

    Relevant Pages

    • Re: [ANN] unionfs patchset-13 release
      ... The buggy behaviour won't affect the host system, but the jail could ... I also have this feeling that ACLs also aren't ... We do not know well around MAC and ACL. ... information should be copied to shadow file when it makes ...
      (freebsd-hackers)
    • Re: [ANN] unionfs patchset-13 release
      ... The buggy behaviour won't affect the host system, but the jail could ... I also have this feeling that ACLs also aren't ... We do not know well around MAC and ACL. ... information should be copied to shadow file when it makes ...
      (freebsd-current)
    • Re: AppArmor FAQ
      ... An easy-to-use yet ... inadequate solution for MAC or jail. ...
      (Linux-Kernel)
    • Re: Ha Ha, told you so! [was Re: Mac OS X hacked under 30 minutes]
      ... jtmckee-650269.16274908032006@xxxxxxxxxxxxxxxxxxxxxxxx, "Josh McKee" ... when a Mac is compromised that had not issued account access, ... really know if there ever was a compromise. ... Dave pointed out that one could obtain an account on the system the Mac ...
      (comp.sys.mac.advocacy)
    • Re: Ha Ha, told you so! [was Re: Mac OS X hacked under 30 minutes]
      ... jtmckee-650269.16274908032006@xxxxxxxxxxxxxxxxxxxxxxxx, "Josh McKee" ... when a Mac is compromised that had not issued account access, ... compromise is forthcoming then it seem fair to assume that the access given ...
      (comp.sys.mac.advocacy)