On Wed, 2009-07-29 at 07:47 +0300, Alon Bar-Lev wrote:
> Well,
> I do not understand you guys.

> If you think SELinux is so great, why do you need chroot?
> It is like you put some money in safe, and then put the safe into
> another safe, it never ends... Why only two safe, let's put another
> safe...
> I know that this is the approach many of security advisors use, but I
> never could have found the logic.
> If you want to keep your money safe use a single safe and select the
> strongest one.

        Security professionals refer to is as "defense in depth".  Look it up.
The opposite of which is "all your eggs in one basket".  Not good.

        With defense in depth, if an attacker finds a hole in one defensive
layer, he should get caught in another.  That way, he has to be perfect
and get through all your defenses without getting caught while you only
have to stop him at one.  The other way (single defense), your defense
must always be perfect and reliable while he only needs a single hole
through that single layer.

        Your choice.

> And final note regarding the iproute wrapper.
> It is a *WRAPPER*, if I needed top secured implementation I would have
> created a daemon listening to network change requests using unix
> domain sockets, wrap this up in SELinux profile, and implementing a
> logic that allows only changes to tap/tun interface with specific
> attributes, and allowing routing table update with specific details.
> Then add a wrapper that uses the unix domain socket in order to access
> the daemon. OpenVPN will use the wrapper so it needs no special
> privilege. The daemon validates what SELinux or any other security
> product cannot validate: Network configuration changes. All done
> within a valid and separate context.
> 
> As I wrote earlier, most of OpenVPN configurations need to execute
> iproute also during session. For example, if you like to connect two
> sites, your super SELinux secured solution will work only at one site.
> 
> No need to discuss this further. I get your point.
> 
> Alon.
> 
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
> trial. Simplify your report design, integration and deployment - and focus on 
> what you do best, core application coding. Discover what's new with 
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel

-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  m...@wittsend.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to