[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[probably off-topic] RE: [FW1] FW-1 + VPN on Linux!

To: "J. Noble (INFO1)" <noblej@mindspring.com>
Subject: [probably off-topic] RE: [FW1] FW-1 + VPN on Linux!
From: Paul D. Robertson <proberts@clark.net>
Date: Wed, 10 Nov 1999 20:37:01 -0500 (EST)
Cc: fw-1-mailinglist@lists.us.checkpoint.com

On Wed, 10 Nov 1999, J. Noble (INFO1) wrote:

> I speak for our group,
> 
> Three Cheers for Lance.
> 
> We certainly appreciate all of your hard work!
[snip]

> > Now this will all come back to the argument "how safe is Linux when anyone
> > can get the source code?".  Both sides of this argument are compelling.
> 
> One step ahead of you :)
> Armoring Linux -> http://www.enteract.com/~lspitz/linux.html
[snip]

Lance's document is very well done.  I want to mention something I find 
compelling if you're looking to add somewhat more serious security to Linux.

That is, more serious than Linux provides natively, not more serious than 
Lance's configuration guide.

*Warning*, it's (a) not mainstream, (b) difficult to set up, (c) not as 
well-documented as I'd like and (c) still under active development.
(actually, c is a feature :) )

http://www.rsbac.de/

Basically, Ruleset Based Access Control is an attempt to bring 
traditional B1-like security to Linux.  It's got roles, ACLs, Mandatory 
Access Control, a Privacy Model that fits with the EU guidelines and a 
Malware scanner that detects Bliss A and B.  You can mix and match or 
write your own mechanisms that use the framework (if you're extremely brave).

The newest test version (out today) also adds a neat feature of being 
able to limit the role granting role's ability to grant roles.  This means 
that not only is root no longer all-powerful, but you can have a box without 
a single all-powerful role including the security officer, not that 
gaining root gains security officer anyway :).  

The current theory is that it should be possible to, for instance set up 
a Web server and allow completely untrusted CGIs to run without offering 
compromise.  Not sure how much reality there is in setting up such a 
system, but I'm hoping to start playing more seriously with it because 
it's at least very close, if not there already.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts@clark.net      which may have no basis whatsoever in fact."
                                                                     PSB#9280

================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: RE: [FW1] dnsinfo.C
Next by Date: [FW1] Whati is security level in Firewall-1 v4.0 or 4.1
Prev by thread: Re: [FW1] ISAKMP message
Next by thread: [FW1] Whati is security level in Firewall-1 v4.0 or 4.1
Index(es):
- Date
- Thread