Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: Re: chroot useful?

Re: chroot useful?

From: Anton J Aylward <anton_at_toronto.com>
Date: Sun, 16 Nov 1997 08:55:33 -0500

At 07:12 PM 16/11/97 +1100, Darren Reed wrote:
## Reply Start ##

>[...mjr's email deleted...]
>
>So, how many firewalls out there implemented with any of the common
>operating systems (be they free or commercial) actually do this ?

Why not ask them. Many claim to run "hardened" versions of
BSD or LINUX. Vulnerabilites and exploits are well publicized,
and many of the developers read these lists. I doubt many
are going to be so arrogant as to take a NIH approach to something
Marcus has contributed to the state of the technology ;-)

>Yes, you can do these things. You can do a lot more too. But, as
>Marcus says, you have to know what to modify and how to modify it.
>Once you've got that knowledge, it's relatively trivial to hack it
>and make it work.

First: You don't need to, you being the end user of the firewall.
The firewall designer, the guy hardening the BSD or writing from
scratch DOES need to be aware of these things, as well as the techniques.
Chroot() is just one way of implementing a technique of virtualizing
a file system - putting the process in a box, if you will.
Other modified kernels have made the sockets only accessible thru the file
system (/dev/tcp/smtp ==> handler to look up the next segment in the path
such as /dev/tcp/smtp/nfr.com for example; this one has been documented)

Second: You are playing with language here, using 'hack' in the pejorative.
What marcus did was redefine the specification of the kernel to say that
if a process is chroot()ed then it has reduced privilege. He showed how
that could be SIMPLY implemented using existing systems, without having to
invest in building a new system and preserving the investment in already
existing experience and technology. To me that makes damn good business
sense.

>Yes, I am working on something
>to address this and other related issues without being too complacent
>it or naive about what the result will be.

This is a clean sheet design, right, which doesn't use ANY BSD or
LINUX code? Or any other stuff in the public domain? I'm glad
you've got someone financing you for this. I hope they'll also
finance marketing your work against the established products as
well as those that will get to market in 10% of the time by "hacking"
at the LINUX and BSD kernels, as have many of the existing firewall
- and other security oriented - products.

/anton

## Reply End ##
--------------------------------------------------------------------------
Anton J Aylward | "Quality refers to the extent to which
The Strahn & Strachan Group Inc | processes, products, services, and
Information Security Consultants | relationships are free from defects,
Voice: (416) 421-8182 | constraints and items which do not add
  Fax: (416) 421-8183 | value." - Dr. Mildred G Pryor, 1995
Received on Nov 16 1997

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos