Re: Network Security - Monolithic or Modular?
- From: Ertugrul Soeylemez <never@xxxxxxxxxxxxxx>
- Date: Thu, 30 Mar 2006 12:09:52 +0200
John <John@xxxxxxxxxxxxx> (06-03-29 16:20:18):
I am interested in your input on the issue of which of the following
makes for better network security under Linux.
a) compile everything you need into the kernel proper, eliminating any
module loading. Please confirm that it is possible to completely turn
off module loading in the kernel.
b) compile as little as possible into the kernel proper, with most
functionality provided by loadable modules.
From my reading, the second alternative allows for better tunability
since you can unload and reload the modules (perhaps with different
parameters) without having to reboot. Apparently there is room for an
unauthorized module to get loaded though. How would that be
prevented? On the other hand, even if everything is contained inside
the kernel, it is still possible to alter the behavior of the running
kernel on the fly by writing to /proc. Is that absolutely necessary
for linux to run properly and if not, how is a rogue process prevented
from doing it?
Assuming the objective is to maximize network security, which is the
better approach and why? It seems as if either alternative is
possible these days when a gigabyte of memory costs a hundred dollars,
so which is best?
This question cannot be answered right away, and it is not related to
security. There are a lot of things to consider, before you can make
that decision. Firstly, what kind of host is it? If it is a
workstation, then you are not going to turn off module loading anyway,
because many third party drivers come as kernel modules.
If you are that afraid of kernel module loading, but you cannot turn it
off, then you can harden your system with SELinux or grsecurity.
Personally I use the latter one (but not because of module loading).
They have in common that you can destroy the possibility to load modules
as root. So you add some kind of user, which is 'above root', and the
root user becomes less privileged.
Now to the /proc interface, and as of Linux 2.6, also to the /sys
interface. Important configuration options can be changed there, and
many system informations can be read. This is the intention of those
interfaces, so it is not a threat by itself. Nobody could harm your
system via /proc or /sys as a normal user. By using one of the two
packages mentioned above, you can restrict write access (and also read
access) to those pseudo-filesystems. E.g. on my system, only root can
read /proc/sys. Normal users can't even read it.
To secure your system, all you have to do is to prevent privilege
escalation (this includes not only system privileges, but also network
privileges). So normal users must not have the possibility to become
root, or read network traffic not intended for them. If this is the
case, then you don't even need the security packages, and you don't have
to worry about /proc or /sys.
Short: Configure your system properly, so it doesn't matter whether you
allow module loading or not, or how much read access normal users have
to /proc and /sys. Securing your system by disclosing system
informations is security by obscurity. And 'securing' your system by
restricting the root user is even worse.
Regards.
.
- Follow-Ups:
- References:
- Network Security - Monolithic or Modular?
- From: John
- Network Security - Monolithic or Modular?
- Prev by Date: Re: Any reasons to filter ARP packets?
- Next by Date: Re: Network Security - Monolithic or Modular?
- Previous by thread: Re: Network Security - Monolithic or Modular?
- Next by thread: Re: Network Security - Monolithic or Modular?
- Index(es):
Relevant Pages
|
