Tony Collins wrote: > Our product is an intrusion prevention/detection product (I work for Symantec > and the product is Symantec Critical System Protection, if you're > interested). We need to intercept all network requests to see if they are > allowed by the whatever policy is currently applied. This is similar to what > an application level firewall does. So, autopushing our module on top of all > open network streams is a prerequisite for being able to intercept all > network traffic.
Interesting. I think it would be easier to intercept that at the IP layer, since there we have less unstable interfaces. In particular, in Solaris 10 update 4 we have the pfhooks interface which allows software to plug into the IP receive and transmit paths. FWIW do you care about SCTP traffic? SCTP doesn't have a STREAMS interface since SCTP is wired directly to the socket layer. Hence the only way you can filter it is by intercepting the IP packets (with a module between IP and the driver in old releases, and using pfhooks in S10U4 and later.) And for future releases (see http://opensolaris.org/os/project/volo/) we will wire TCP and UDP directly to sockfs, but with some fallback mechanism which requires access to /dev/tcp, /dev/udp, and /dev/rawip. But the high-performance path would be the direct path. >> The reason I'm asking is that some TCP streams are >> setup by the kernel >> during boot (the TCP default queue) and there isn't >> an easy way to >> interpose on that one. But depending on what you want >> to do, you might >> not need to see that. >> > > Hmmm... That's interesting. Could you shed some more light on that? I > guess we would need to assess whether we think there is any potential > security hole with any of these automagically plumbed streams. I don't know to what extent the default queues are used for > Looks like we need to modify our program to do this. We just blindly clear > any configuration now and autopush our own module. Do you know if doing that > will cause any issues with generic Solaris 8, 9, or 10? Obviously, if some > other 3rd party program has done their own autopush configuration, we end up > wiping out their configuration. If you clear the existing autopush info things will not work. For earlier than S10 you will make TCP, UDP, raw sockets all stop working. For S10 you will not break TCP (since it has no autopush setup) but UDP and raw will still be broken. Erik _______________________________________________ networking-discuss mailing list [email protected]
