Re: [fw-wiz] VM system for firewall use

From: Crispin Cowan (
Date: 10/14/04

  • Next message: Abe Singer: "[fw-wiz] Re: Use content-based spam filters, not address-based ones"
    To: Christopher Hicks <>
    Date: Thu, 14 Oct 2004 11:45:25 -0700

    Christopher Hicks wrote:

    > On Tue, 12 Oct 2004, Paul D. Robertson wrote:
    >> I'm really unsure as to why a jail isn't enough though--
    > I was thinking about this and I'm thinking JAILs plus MAC would
    > provide a more winning solution than seperating things by using VMs.
    > Scenario: a compartment gets compromised. If that compartment is in a
    > JAIL/MAC environment then what that compromise can accomplish is
    > effectively minimized. In the VM environment the compromise would
    > compromise that entire VM and that VM could communicate with any other
    > VM in any way it pleased.
    > The JAIL/MAC version seems a lot less scary and catastrophic to me.

    Immunix SubDomain is designed to attack precisely this problem space.
    SubDomain lets you specify for each program what files it can read,
    write, and execute.

        * vs. VMs: a VM totally isolates a package. It has as much access to
          the rest of the machine as a remote network connection will
          permit. SubDomain lets programs have controlled interaction
          through the file system and local IPC.
        * vs. Chroot: a properly configured chroot, similar to a VM, only
          allows socket communications, and is less secure.
        * vs. SELinux: you can do the same sort of thing with SELinux as in
          SubDomain, but SELinux is more difficult to use. For instance, the
          program profile for wuftpd in SELinux is 4.5X larger than the
          profile for the same program in SubDomain. SubDomain is also
          faster, with an overhead of 2% vs. an overhead of 6-15% in
          SELinux, and huge overheads for VMs.

    Elsewhere, Kevin Sheldrake wrote:

    > I'd be very interested in discussing working SE Linux considerations
    > and configurations. AFAIK it's a bit tricky to setup. I've got a
    > background in DEC MLS+ and Trusted Solaris and can probably configure
    > user space controls; it's the system level controls that I'm nervous
    > about. When we did it (on MLS+), it was a case of 'guess the privs'
    > and then add/subtract until the minimum working set was found. I'm
    > sure there must be a better way; I admit I haven't done a lot of
    > googling but as we were (almost) on the topic, I thought I'd ask the
    > wizards.

    Making this stuff easy to set up is what SubDomain does. I can demo
    creating a program profile for Apache in under 5 minutes, even while
    customers are watching :)

    Thanks to the LSM (Linux Security Modules) <>
    feature now in Linux 2.6, SubDomain is available as a plug-in
    application that you can install on top of existing Linux system


    Crispin Cowan, Ph.D.
    CTO, Immunix
    firewall-wizards mailing list

  • Next message: Abe Singer: "[fw-wiz] Re: Use content-based spam filters, not address-based ones"