Re: [zones-discuss] Possible to use zones for hardening? Security?
Ok, thank you for your clarification. I think I prefer Crossbow because it is a "modern" approach. Regarding threat model, I prefer to have as much separated traffic as possible, therefore I prefer exclusive-ip instead of shared ip. -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
On 11/28/10 14:50, Orvar Korvar wrote: > Sorry, I didnt really get that. Could you explain a bit what you did, for a > solaris noob? You just shut down the global NIC, and the local zone NIC still > works? Yes? > > A question: I see that you use shared ip. Isn't that less safe than > exclusive-ip because several zones share the same NIC in your case? If you > want to separate traffic maximally, you should use exclusive-ip, yes? "Safe" is better defined if you have some sort of threat model in mind. It's unclear (at least to me) what that is. With an exclusive IP instance, the non-global zone itself has more access than with a shared IP instance, because the zone has to configure its own interface. With shared IP instance, the zone has no ability to control the interface in any way at all -- it can't set the address or (at least by default) send raw data. There are trade-offs in each approach. > If I use exclusive IP, I must configure virtual nics with crossbow - yes? No. If you use exclusive IP instances, you need to have separate interfaces. One way to get there is with virtual NICs. Another is by using separate VLANs on a single NIC. Still another is by using multiple NICs. It's not a requirement to use virtual NICs, but it's one more thing that you _can_ do. > I am actually trying this, but can not my zone to ping the world. The local > zone exclusive-IP NIC does not work. When I get this scenario to work, I will > post everything here, how to do it. So others can follow. But I need help > during this research phase. Please help me answer my questions above? Check the usual things -- such as the subnet mask configured on the interface and the routes. With exclusive IP instances, the zone itself must set up the routes it needs. With shared IP instances, all routing is done in the global zone alone. -- James Carlson 42.703N 71.076W ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
Sorry, I didnt really get that. Could you explain a bit what you did, for a solaris noob? You just shut down the global NIC, and the local zone NIC still works? Yes? A question: I see that you use shared ip. Isn't that less safe than exclusive-ip because several zones share the same NIC in your case? If you want to separate traffic maximally, you should use exclusive-ip, yes? If I use exclusive IP, I must configure virtual nics with crossbow - yes? I am actually trying this, but can not my zone to ping the world. The local zone exclusive-IP NIC does not work. When I get this scenario to work, I will post everything here, how to do it. So others can follow. But I need help during this research phase. Please help me answer my questions above? -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
In message <1481154627.91285535031577.javamail.tweb...@sf-app1>, Orvar Korvar w rites: >Ok, so I shut down e1000g0 which means my global zone can not access internet. > The local zone will have e1000g0:1 which I do not shut down, which means the >local zone can access internet. Correct? Works for me. # ifconfig e1000g0 |grep inet inet 192.168.1.2 netmask ff00 broadcast 192.168.1.255 # zonecfg -z foo export create -b set zonepath=/var/opt/zones/foo set brand=ipkg set autoboot=false set ip-type=shared add net set address=192.168.1.3/24 set physical=e1000g0 set defrouter=192.168.1.1 end # ifconfig e1000g0:1 e1000g0:1: flags=1100843 mtu 1500 index 2 zone foo inet 192.168.1.3 netmask ff00 broadcast 192.168.1.255 # ifconfig e1000g0 down John groenv...@acm.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
how can I ssh into a local zone if the global zone has no outside connection?? you have 2 options. 1. from the global you can simply use zlogin zonename and ur in. 2. you can add tcp wrappers to the non-global zone to only allow ssh connections from the global. > Date: Fri, 26 Nov 2010 04:22:56 -0800 > From: knatte_fnatte_tja...@yahoo.com > To: zones-discuss@opensolaris.org > Subject: Re: [zones-discuss] Possible to use zones for hardening? Security? > > So you suspect there is no need to shut down the global NIC, if the zone uses > exclusive IP and it is on a separate subnet and there is no routing between > the zones? > > Ok, that is an interesting thought. What do you other people say? In that > case a local zone can not ping (reach) the global zone? > > I was thinking that the only way to reach internet, would be through a local > zone. The global zone should be completely isolated from the rest of the > world (zones, internet) and have no working NIC. The question is, in that > case, how can I ssh into a local zone if the global zone has no outside > connection?? > > > > (BTW, I dont know how to do what you suggest, as I am a Solaris noob. I just > planned to create exclusive-ip vnic and a vswitch and connect them - have I > done what you described then? Are they on a separate subnet? Or do I need to > do some additional configuration?) > -- > This message posted from opensolaris.org > ___ > zones-discuss mailing list > zones-discuss@opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
On 26 November 2010 13:25, Orvar Korvar wrote: > If hacker exploits a bug in the VBox driver and corrupts kernel memory so he > gets into the global zone, then maybe it is safer to not use VBox? If such bug exists then it'll be safer to not use VBox, however, I'm not aware of any such bug. VBox is nice and if you need a Windows guest you can't virtualise it using zones and actually VBox could be a good choice. The question is the add value of running VBox in a local zone. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
If hacker exploits a bug in the VBox driver and corrupts kernel memory so he gets into the global zone, then maybe it is safer to not use VBox? And only use local zones for reaching the outside world? And shutdown the NIC to the global zone? -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
So you suspect there is no need to shut down the global NIC, if the zone uses exclusive IP and it is on a separate subnet and there is no routing between the zones? Ok, that is an interesting thought. What do you other people say? In that case a local zone can not ping (reach) the global zone? I was thinking that the only way to reach internet, would be through a local zone. The global zone should be completely isolated from the rest of the world (zones, internet) and have no working NIC. The question is, in that case, how can I ssh into a local zone if the global zone has no outside connection?? (BTW, I dont know how to do what you suggest, as I am a Solaris noob. I just planned to create exclusive-ip vnic and a vswitch and connect them - have I done what you described then? Are they on a separate subnet? Or do I need to do some additional configuration?) -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
On 26 November 2010 10:50, Orvar Korvar wrote: > petrben, > Yes that is my question too: "is running in a local zone safer?". That is why > I created this thread. Yep and I found your question interesting and want to know more as well. If you are the only administrator on the machine is there any security benefit of running VBox in the local zone? So far it seems to me that it doesn't make things worse while there is no clear reason it should provide any remarkable advantage. Negative is that you have one more machine to administer and you may hit more problems later on upgrades etc. > > I was thinking something like this: If someone hacks my WinXP, then he must > bypass VBox. Then he is inside the local zone. Then he must get root access > to the local zone. Then he must break the zone to get into the global zone. > When he is in the global zone, he must gain root access. Then he is in my > computer. > > To prevent this, I shut down the NIC to the global zone. Then there is no > communication between the global zone and local zones. So how can a hacker > inside a local zone, gain access to the global zone? The global zone does not > respond to any communication, because it's NIC is down. > > > > But you say something like: if a hacker takes control over VBox, then he also > gets inside the kernelspace and then he bypasses zones and everything and is > inside the global zone? He does not have to go through NICs and zones and > what not? I'm not a security expert nor VBox or zones developer. But if the attacker successfully exploits a hypothetical bug in the VBox driver he'll be able to corrupt the kernel memory whether it happens in the local zone or not makes no significant difference. If he only breaks out the VBox and stays confined in the zone it is of course "A difference" and even if he manages to get root in the zone there must be another serious flaw to break out the zone. On the other side if it happens in the global zone and if there is no local exploitable bug he'll stay as an ordinary user in the global zone and other users will be relatively safe. Crossbow and resource management could be done in the global zone as well without the need of zone installation. And again in case you are the only administrator you have no reason to mis-configure the guest to fill all available memory ... Petr > -- > This message posted from opensolaris.org > ___ > zones-discuss mailing list > zones-discuss@opensolaris.org > ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
On 26 Nov 2010, at 10:50 , Orvar Korvar wrote: > petrben, > Yes that is my question too: "is running in a local zone safer?". That is why > I created this thread. > > I was thinking something like this: If someone hacks my WinXP, then he must > bypass VBox. Then he is inside the local zone. Then he must get root access > to the local zone. Then he must break the zone to get into the global zone. > When he is in the global zone, he must gain root access. Then he is in my > computer. > > To prevent this, I shut down the NIC to the global zone. Then there is no > communication between the global zone and local zones. So how can a hacker > inside a local zone, gain access to the global zone? The global zone does not > respond to any communication, because it's NIC is down. > > There is probably no need to shutdown the NIC in the glabal zone. As long as you configure the zone to use exclusive IP and make sure the zone is on a separate subnet from the global zone and there is no routing between the subnets you should be fine. You could also use the crossbow features to create an internal network and do all kinds of firewalling between your VBox zone and the rest of the world. Paul > > But you say something like: if a hacker takes control over VBox, then he also > gets inside the kernelspace and then he bypasses zones and everything and is > inside the global zone? He does not have to go through NICs and zones and > what not? There is probably no need to shutdown the NIC in the glabal zone. As long as you configure the zone to use exclusive IP and make sure the zone is on a separate subnet from the global zone and there is no routing between the subnets you should be fine. You could also use the crossbow features to create an internal network and do all kinds of firewalling between your VBox zone and the rest of the world. Paul ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
petrben, Yes that is my question too: "is running in a local zone safer?". That is why I created this thread. I was thinking something like this: If someone hacks my WinXP, then he must bypass VBox. Then he is inside the local zone. Then he must get root access to the local zone. Then he must break the zone to get into the global zone. When he is in the global zone, he must gain root access. Then he is in my computer. To prevent this, I shut down the NIC to the global zone. Then there is no communication between the global zone and local zones. So how can a hacker inside a local zone, gain access to the global zone? The global zone does not respond to any communication, because it's NIC is down. But you say something like: if a hacker takes control over VBox, then he also gets inside the kernelspace and then he bypasses zones and everything and is inside the global zone? He does not have to go through NICs and zones and what not? -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
On 26 November 2010 04:07, Jeff Victor wrote: > On Thu, Nov 25, 2010 at 9:21 AM, Petr Benes wrote: >>> Limit the damage if the Zone's VBox application is somehow >>> subverted by the guest OS. >> >> There are VBox modules in the kernel and the containers framework >> can't stop misbehavior in kernelspace. > > The use of kernel modules in VBox doesn't weaken the security of > Zones. Other software accessible in a zone ultimately uses kernel > modules. Gaining unfettered control over kernel space is the hard > part. In any case, please see more detail below. > >>> Beyond security, running VBox in a Zone allows you to make >>> use of Zone Resource Controls and Crossbow networking. >>> Cool stuff! >> >> No question about cool features. My concern is if running VBox in a >> local zone has any security advantage regarding an evil guest over >> running it in the global one. And if so, why? > > Because all processes running in a zone run with a reduced privilege > set, compared to processes running in the global zone. For example, a > process in a zone cannot have the proc_zone privilege, so a process in > one zone cannot send a signal to another process. Also, by default, a > process in a zone does not have the sys_time privilege, so it cannot > change the system's time clock. (The global zone administrator can > give the sys_time privilege to one or more zones, after which they > would be able to change the system's time clock.) See the man page > privileges(5). How could a guest inside the VBox use any of these features? All privileged stuff is done via /dev/vbox* you granted the zone to access if I got it correctly. > > Is the security framework of Zones good enough? An independent > security certification gave Solaris Trusted Extensions (which uses > Zones to compartmentalize information) a rating of EAL4+ with three > different profiles - the highest rating achieved by a general purpose > operating system. > > For more information on security and Solaris Zones, please read the > paper "Understanding the Security Capabilities of Solaris Zones" > written by Glenn Brunette and myself: > http://hub.opensolaris.org/bin/download/Project+isc/WebHome/820%2D7017.pdf That's actually a bit different use and will be plausible only after VBox will be certified to run under trusted zones. Petr ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
On Thu, Nov 25, 2010 at 9:21 AM, Petr Benes wrote: >> Limit the damage if the Zone's VBox application is somehow >> subverted by the guest OS. > > There are VBox modules in the kernel and the containers framework > can't stop misbehavior in kernelspace. The use of kernel modules in VBox doesn't weaken the security of Zones. Other software accessible in a zone ultimately uses kernel modules. Gaining unfettered control over kernel space is the hard part. In any case, please see more detail below. >> Beyond security, running VBox in a Zone allows you to make >> use of Zone Resource Controls and Crossbow networking. >> Cool stuff! > > No question about cool features. My concern is if running VBox in a > local zone has any security advantage regarding an evil guest over > running it in the global one. And if so, why? Because all processes running in a zone run with a reduced privilege set, compared to processes running in the global zone. For example, a process in a zone cannot have the proc_zone privilege, so a process in one zone cannot send a signal to another process. Also, by default, a process in a zone does not have the sys_time privilege, so it cannot change the system's time clock. (The global zone administrator can give the sys_time privilege to one or more zones, after which they would be able to change the system's time clock.) See the man page privileges(5). Is the security framework of Zones good enough? An independent security certification gave Solaris Trusted Extensions (which uses Zones to compartmentalize information) a rating of EAL4+ with three different profiles - the highest rating achieved by a general purpose operating system. For more information on security and Solaris Zones, please read the paper "Understanding the Security Capabilities of Solaris Zones" written by Glenn Brunette and myself: http://hub.opensolaris.org/bin/download/Project+isc/WebHome/820%2D7017.pdf . --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
> Limit the damage if the Zone's VBox application is somehow > subverted by the guest OS. There are VBox modules in the kernel and the containers framework can't stop misbehavior in kernelspace. > > > Beyond security, running VBox in a Zone allows you to make > use of Zone Resource Controls and Crossbow networking. > Cool stuff! No question about cool features. My concern is if running VBox in a local zone has any security advantage regarding an evil guest over running it in the global one. And if so, why? VBox process itself doesn't run as a root but there are its drivers the attack may go through. Petr > > John > groenv...@acm.org > ___ > zones-discuss mailing list > zones-discuss@opensolaris.org > ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
In message , Petr Benes writes: >Hmm. VBox obviously needs to be installed in the global zone before. >Is running it in a local zone significantly safer? Yep for separating >different possible users, but it won't make running guests safer per >se. What is the supposed security merit there?T Finer grain delegation of VBox management to the Zone's administrator. Limit the damage if the Zone's VBox application is somehow subverted by the guest OS. Beyond security, running VBox in a Zone allows you to make use of Zone Resource Controls and Crossbow networking. Cool stuff! John groenv...@acm.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
Hmm. VBox obviously needs to be installed in the global zone before. Is running it in a local zone significantly safer? Yep for separating different possible users, but it won't make running guests safer per se. What is the supposed security merit there?T On 25 November 2010 11:25, Petr Benes wrote: > Oh, thanks. > > On 25 November 2010 11:25, Cyril Plisko wrote: >> On Thu, Nov 25, 2010 at 12:08 PM, Petr Benes wrote: >>> I bet VBox can't run inside the local zone. >> >> Well, you lost. See VirtualBox User Manual >> >> 2.4.5 Configuring a zone for running VirtualBox >> >>> >>> On 24 November 2010 20:04, Orvar Korvar >>> wrote: Uhmmm... A thought just struck me. Is it really possible to do what I was thinking? If I install WinXP virtually, in VirtualBox, in a local zone - then I shut down the global zone NIC - how can I reach the local zone then? It should not be possible? There is no connection between local zone and global zone - because global zone NIC is shutdown - so how can I surf the web from the local zone??? ssh does not work, because it connects to the global zone's NIC? Or? -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org >>> ___ >>> zones-discuss mailing list >>> zones-discuss@opensolaris.org >>> >> >> >> >> -- >> Regards, >> Cyril >> > ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
Oh, thanks. On 25 November 2010 11:25, Cyril Plisko wrote: > On Thu, Nov 25, 2010 at 12:08 PM, Petr Benes wrote: >> I bet VBox can't run inside the local zone. > > Well, you lost. See VirtualBox User Manual > > 2.4.5 Configuring a zone for running VirtualBox > >> >> On 24 November 2010 20:04, Orvar Korvar >> wrote: >>> Uhmmm... A thought just struck me. >>> >>> Is it really possible to do what I was thinking? If I install WinXP >>> virtually, in VirtualBox, in a local zone - then I shut down the global >>> zone NIC - how can I reach the local zone then? It should not be possible? >>> >>> There is no connection between local zone and global zone - because global >>> zone NIC is shutdown - so how can I surf the web from the local zone??? ssh >>> does not work, because it connects to the global zone's NIC? Or? >>> -- >>> This message posted from opensolaris.org >>> ___ >>> zones-discuss mailing list >>> zones-discuss@opensolaris.org >>> >> ___ >> zones-discuss mailing list >> zones-discuss@opensolaris.org >> > > > > -- > Regards, > Cyril > ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
On Thu, Nov 25, 2010 at 12:08 PM, Petr Benes wrote: > I bet VBox can't run inside the local zone. Well, you lost. See VirtualBox User Manual 2.4.5 Configuring a zone for running VirtualBox > > On 24 November 2010 20:04, Orvar Korvar > wrote: >> Uhmmm... A thought just struck me. >> >> Is it really possible to do what I was thinking? If I install WinXP >> virtually, in VirtualBox, in a local zone - then I shut down the global zone >> NIC - how can I reach the local zone then? It should not be possible? >> >> There is no connection between local zone and global zone - because global >> zone NIC is shutdown - so how can I surf the web from the local zone??? ssh >> does not work, because it connects to the global zone's NIC? Or? >> -- >> This message posted from opensolaris.org >> ___ >> zones-discuss mailing list >> zones-discuss@opensolaris.org >> > ___ > zones-discuss mailing list > zones-discuss@opensolaris.org > -- Regards, Cyril ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
On 11/25/10 11:08 PM, Petr Benes wrote: I bet VBox can't run inside the local zone. See the rest of this thread! -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
I bet VBox can't run inside the local zone. On 24 November 2010 20:04, Orvar Korvar wrote: > Uhmmm... A thought just struck me. > > Is it really possible to do what I was thinking? If I install WinXP > virtually, in VirtualBox, in a local zone - then I shut down the global zone > NIC - how can I reach the local zone then? It should not be possible? > > There is no connection between local zone and global zone - because global > zone NIC is shutdown - so how can I surf the web from the local zone??? ssh > does not work, because it connects to the global zone's NIC? Or? > -- > This message posted from opensolaris.org > ___ > zones-discuss mailing list > zones-discuss@opensolaris.org > ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
Uhmmm... A thought just struck me. Is it really possible to do what I was thinking? If I install WinXP virtually, in VirtualBox, in a local zone - then I shut down the global zone NIC - how can I reach the local zone then? It should not be possible? There is no connection between local zone and global zone - because global zone NIC is shutdown - so how can I surf the web from the local zone??? ssh does not work, because it connects to the global zone's NIC? Or? -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
Orvar Korvar wrote: I am still confused. "cjg" wrote at the very bottom, that it is possible to shutdown internet connection to the global zone and provided a link. I dont understand what the link says, as I am a Solaris noob. Can someone explain? I dont feel I have a definitive answer. Is it possible to shut down internet connection to the global zone, or not? And if it is possible, how do I do it? Just by "ifconfig e1000g0 down" or something similar? Yes. That is sufficient. --Glenn ORACLE ® Glenn Faden | Senior Principal Software Engineer Phone: +1 650 786 4003 | Mobile: +1 415 637 8181 Oracle Solaris Security, Solaris Core OS Technology Engineering ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
I am still confused. "cjg" wrote at the very bottom, that it is possible to shutdown internet connection to the global zone and provided a link. I dont understand what the link says, as I am a Solaris noob. Can someone explain? I dont feel I have a definitive answer. Is it possible to shut down internet connection to the global zone, or not? And if it is possible, how do I do it? Just by "ifconfig e1000g0 down" or something similar? Regarding VirtualBox. According to the book "Oracle Solaris 10 System Virtualization Essentials" by Victor, et al, it says that it is possible to install VirtualBox into the global zone and startup VirtualBox in a local zone and install the virtual machine in the local zone. The syntax is this: # zonecfg add device set match=/dev/vboxdrv end Hence, you just configure your zone as usual, but you also add the above lines when you configure your local zone. Then you can fire up VirtualBox in the local zone. Regarding "exclusive-ip" in the zone configuration. If I set "exclusive-ip" to a vnic, then no other zone can access the vnic. That is the reason I want to use exclusive-ip. -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
Not true. b134 has crossbow and you can configure it such that the global zone does not have access to to the internet. See http://chrisgerhard.wordpress.com/2009/01/01/http-proxy-in-a-zone/ --chris -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
I stand corrected. Thanks for the update Glenn. Jerry On 09/30/10 16:33, Glenn Faden wrote: > VBox definitely works in zones. It installs a global zone SMF service, > VBoxService, to take care of loading the kernel modules since this can't > be done by a NGZ. > > see http://www.virtualbox.org/changeset/24240 > > --Glenn > ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
On 10/ 1/10 10:33 AM, Glenn Faden wrote: VBox definitely works in zones. It installs a global zone SMF service, VBoxService, to take care of loading the kernel modules since this can't be done by a NGZ. see http://www.virtualbox.org/changeset/24240 Ah, so I was correct is stating VirtualBox can't be *installed* in a zone. I didn't realise it could be run in a zone when installed in the global zone. -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
VBox definitely works in zones. It installs a global zone SMF service, VBoxService, to take care of loading the kernel modules since this can't be done by a NGZ. see http://www.virtualbox.org/changeset/24240 --Glenn Jerry Kemp wrote: Ian, I believe that you are correct in your comment about running VirtualBox in a zone. Why I haven't attempted it myself, I believe that VirtualBox will not work from a zone because VirtualBox needs to load kernel modules. here is an example: ultra20 /root 401 # modinfo | grep -i vbox 175 f85127f0a88 345 1 vboxnet (VirtualBox NetAdp 3.1.4r57640) 177 f8682000 24de8 344 1 vboxdrv (VirtualBox HostDrv 3.1.4r57640) 250 f89e2000 6a20 346 1 vboxflt (VirtualBox NetDrv 3.1.4r57640) 250 f89e2000 6a20 - 1 vboxflt (VirtualBox NetMod 3.1.4r57640) 251 f89e9000 4598 347 1 vboxusbmon (VirtualBox USBMon 3.1.4r57640) 252 f89ee000 6de8 348 1 vboxusb (VirtualBox USB 3.1.4r57640) ultra20 /root 402 # uname -a SunOS ultra20 5.11 snv_130 i86pc i386 i86pc ultra20 /root 403 # Jerry On 09/30/10 15:55, Ian Collins wrote: I don't think you can install VirtualBox in a zone. If you are using VirtualBox, you can use the same networking tricks to get isolation as you would use for a zone. ___ zones-discuss mailing list zones-discuss@opensolaris.org -- ORACLE ® Glenn Faden | Senior Principal Software Engineer Phone: +1 650 786 4003 | Mobile: +1 415 637 8181 Oracle Solaris Security, Solaris Core OS Technology Engineering ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
Ian, I believe that you are correct in your comment about running VirtualBox in a zone. Why I haven't attempted it myself, I believe that VirtualBox will not work from a zone because VirtualBox needs to load kernel modules. here is an example: ultra20 /root 401 # modinfo | grep -i vbox 175 f85127f0a88 345 1 vboxnet (VirtualBox NetAdp 3.1.4r57640) 177 f8682000 24de8 344 1 vboxdrv (VirtualBox HostDrv 3.1.4r57640) 250 f89e2000 6a20 346 1 vboxflt (VirtualBox NetDrv 3.1.4r57640) 250 f89e2000 6a20 - 1 vboxflt (VirtualBox NetMod 3.1.4r57640) 251 f89e9000 4598 347 1 vboxusbmon (VirtualBox USBMon 3.1.4r57640) 252 f89ee000 6de8 348 1 vboxusb (VirtualBox USB 3.1.4r57640) ultra20 /root 402 # uname -a SunOS ultra20 5.11 snv_130 i86pc i386 i86pc ultra20 /root 403 # Jerry On 09/30/10 15:55, Ian Collins wrote: >> > I don't think you can install VirtualBox in a zone. If you are using > VirtualBox, you can use the same networking tricks to get isolation as > you would use for a zone. > ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
On 10/ 1/10 09:42 AM, Orvar Korvar wrote: Ok, now I am confused. I want to shut down all internet connection to my global zone. I dont want to shut down the global zone, only the internet connection. I want to reach internet only from local zones. Some of the local zones will have a server application running. Others will just be used for surfing. I will install VirtualBox in the local zones. I don't think you can install VirtualBox in a zone. If you are using VirtualBox, you can use the same networking tricks to get isolation as you would use for a zone. Is this possible or not? Some say yes, other say no? The response you didn't quote answered your question: On 09/30/10 08:38 AM, Glenn Faden wrote: Assuming you're using the shared IP stack (default), it is sufficient for the global zone interface(s) to be plumbed so that the non-global zones can use logical instances of the interface(s). So setting the GZ interfaces as "down' will prevent network access to/from the global zone. I believe I should use exclusive-ip in the local zones? Or? You can, but you don't have to. -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
Ok, now I am confused. I want to shut down all internet connection to my global zone. I dont want to shut down the global zone, only the internet connection. I want to reach internet only from local zones. Some of the local zones will have a server application running. Others will just be used for surfing. I will install VirtualBox in the local zones. Is this possible or not? Some say yes, other say no? I believe I should use exclusive-ip in the local zones? Or? -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
Assuming you're using the shared IP stack (default), it is sufficient for the global zone interface(s) to be plumbed so that the non-global zones can use logical instances of the interface(s). So setting the GZ interfaces as "down' will prevent network access to/from the global zone. --Glenn Jordan Vaughan wrote: Is there a way to disable all remote connections to the GZ? In other words, couldn't you use a firewall to reject connections on all ports to the GZ? That would effectively deny remote access to the GZ without having to disable any network interfaces. Of course, disabling the GZ's interface(s) is preferable (it's simpler), but I'm not sure if it's possible. I haven't tried it. Jordan On 09/29/10 10:33 AM, Orvar Korvar wrote: Ok, so it is impossible to shutdown internet connection to the global zone and surf only from the local zones. If I want to surf from the local zones, the global zone's NIC must be activated. I suspect a hacker will attack the global zone, instead of the local zone that I surf from. Are there any other ways to increase security instead of my original plan (shutting down the global zone and surf from local zones)? I am afraid the global zone will be attacked... ___ zones-discuss mailing list zones-discuss@opensolaris.org -- ORACLE ® Glenn Faden | Senior Principal Software Engineer Phone: +1 650 786 4003 | Mobile: +1 415 637 8181 Oracle Solaris Security, Solaris Core OS Technology Engineering ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
Is there a way to disable all remote connections to the GZ? In other words, couldn't you use a firewall to reject connections on all ports to the GZ? That would effectively deny remote access to the GZ without having to disable any network interfaces. Of course, disabling the GZ's interface(s) is preferable (it's simpler), but I'm not sure if it's possible. I haven't tried it. Jordan On 09/29/10 10:33 AM, Orvar Korvar wrote: Ok, so it is impossible to shutdown internet connection to the global zone and surf only from the local zones. If I want to surf from the local zones, the global zone's NIC must be activated. I suspect a hacker will attack the global zone, instead of the local zone that I surf from. Are there any other ways to increase security instead of my original plan (shutting down the global zone and surf from local zones)? I am afraid the global zone will be attacked... ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
Hi U cannot shutdown gz Gz run the kernel and all servies for ngz But can setup firewall such that to restrict acces to ip tcp service and port --- Original message --- From: Orvar Korvar To: zones-discuss@opensolaris.org Sent: 29.9.'10, 13:33 Ok, so it is impossible to shutdown internet connection to the global zone and surf only from the local zones. If I want to surf from the local zones, the global zone's NIC must be activated. I suspect a hacker will attack the global zone, instead of the local zone that I surf from. Are there any other ways to increase security instead of my original plan (shutting down the global zone and surf from local zones)? I am afraid the global zone will be attacked... -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
Orvar Korvar wrote: > Ok, so it is impossible to shutdown internet connection to the global zone > and surf only from the local zones. If I want to surf from the local zones, > the global zone's NIC must be activated. I suspect a hacker will attack the > global zone, instead of the local zone that I surf from. There's no need to assign any addresses to the global zone. I'm pretty sure there are others (Dan McDonald, probably) who have experimented with the sort of configuration you're describing. > Are there any other ways to increase security instead of my original plan > (shutting down the global zone and surf from local zones)? I am afraid the > global zone will be attacked... If you set up the global zone having no interfaces (just lo0), and set up the non-global zones using the "set ip-type=exclusive" mechanism, the non-global zones will have networking that's completely independent of the global zone. You can't "shut down" the global zone, but you certainly can configure it so that it doesn't have any available networking interfaces. -- James Carlson 42.703N 71.076W ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
Ok, so it is impossible to shutdown internet connection to the global zone and surf only from the local zones. If I want to surf from the local zones, the global zone's NIC must be activated. I suspect a hacker will attack the global zone, instead of the local zone that I surf from. Are there any other ways to increase security instead of my original plan (shutting down the global zone and surf from local zones)? I am afraid the global zone will be attacked... -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
--- Original message --- From: Orvar Korvar To: zones-discuss@opensolaris.org Sent: 29.9.'10, 10:13 I want to shut down the global zone, and want to surf only from local zones. You mean this is not possible? Not possible I dont really understand the implications of your post. What are you trying to say? That I must use Crossbow in b134? Or, that my plan is not possible to do? Or, that I should not shut down the global NIC? Or? -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
I want to shut down the global zone, and want to surf only from local zones. You mean this is not possible? I dont really understand the implications of your post. What are you trying to say? That I must use Crossbow in b134? Or, that my plan is not possible to do? Or, that I should not shut down the global NIC? Or? -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
On Sun, Sep 26, 2010 at 5:03 PM, Orvar Korvar wrote: > Ok, so I shut down e1000g0 which means my global zone can not access > internet. The local zone will have e1000g0:1 which I do not shut down, which > means the local zone can access internet. Correct? > > But, if we look at this picture > http://blogs.sun.com/droux/entry/private_virtual_networks_for_solaris > I see a virtual switch in the middle. I dont really understand the purpose of > the virtual switch in the middle. What is it for? It is a feature in Project Crossbow. In one sense, it is the mechanism by which several entities (e.g. several zones) share a physical NIC. In other words, vSwitches connect vNICs to a physical NIC. > Should I also have a vswitch in the middle? And connect all local zones to > the vswitch? That depends on your goals. Unless you have more NICs than zones, you will need at least one vSwitch. --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
If you configure a zone to use the exclusive-IP feature, the global zone will not be able to use the zone's network interfaces. See the zonecfg(1M) man page. On Sat, Sep 25, 2010 at 6:23 AM, Orvar Korvar wrote: > I am a home user with a PC and two SunRay2. > > I wonder if it is possible to shut down all internet connections to my global > zone, and create a zone with VirtualBox to reach internet? > > 1) global zone: no internet connection > 2) zone: virtualbox + Win7 to surf the web, for me > 3) zone: virtualbox + Win7 to surf the web, for my girlfriend > > I am using OpenSolaris b134 and plan to migrate to Solaris 11 Express later > (which will have Crossbow I assume) > -- > This message posted from opensolaris.org > ___ > zones-discuss mailing list > zones-discuss@opensolaris.org > -- --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
Here is more info on this: http://www.opensolaris.org/jive/thread.jspa?messageID=501153 -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
Ok, so I shut down e1000g0 which means my global zone can not access internet. The local zone will have e1000g0:1 which I do not shut down, which means the local zone can access internet. Correct? But, if we look at this picture http://blogs.sun.com/droux/entry/private_virtual_networks_for_solaris I see a virtual switch in the middle. I dont really understand the purpose of the virtual switch in the middle. What is it for? Should I also have a vswitch in the middle? And connect all local zones to the vswitch? And then I shut down the global zone called "vnic0" in the picture? Or is it "eri0" I should shut down? -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
when you create your zone1 it will be bound to e1000:1 and that interface is not disabled hence it will have access to the web. you may do the same thing with 2 interfaces. one can be dedicated to global and the other bound to e1000:1, etc. > Date: Sat, 25 Sep 2010 12:32:55 -0700 > From: knatte_fnatte_tja...@yahoo.com > To: zones-discuss@opensolaris.org > Subject: Re: [zones-discuss] Possible to use zones for hardening? Security? > > Is it that simple?! > > I just disable my interface. Maybe with something similar to > # ifconfig e1000 down > or something. I have to check the syntax. > > And then everything is done? But, my zones, how can they reach internet if > the global interface is disabled? I dont get it. > -- > This message posted from opensolaris.org > ___ > zones-discuss mailing list > zones-discuss@opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
Is it that simple?! I just disable my interface. Maybe with something similar to # ifconfig e1000 down or something. I have to check the syntax. And then everything is done? But, my zones, how can they reach internet if the global interface is disabled? I dont get it. -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
on the global zone all you need to do is disable your interface. > Date: Sat, 25 Sep 2010 03:23:52 -0700 > From: knatte_fnatte_tja...@yahoo.com > To: zones-discuss@opensolaris.org > Subject: [zones-discuss] Possible to use zones for hardening? Security? > > I am a home user with a PC and two SunRay2. > > I wonder if it is possible to shut down all internet connections to my global > zone, and create a zone with VirtualBox to reach internet? > > 1) global zone: no internet connection > 2) zone: virtualbox + Win7 to surf the web, for me > 3) zone: virtualbox + Win7 to surf the web, for my girlfriend > > I am using OpenSolaris b134 and plan to migrate to Solaris 11 Express later > (which will have Crossbow I assume) > -- > This message posted from opensolaris.org > ___ > zones-discuss mailing list > zones-discuss@opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] Possible to use zones for hardening? Security?
I am a home user with a PC and two SunRay2. I wonder if it is possible to shut down all internet connections to my global zone, and create a zone with VirtualBox to reach internet? 1) global zone: no internet connection 2) zone: virtualbox + Win7 to surf the web, for me 3) zone: virtualbox + Win7 to surf the web, for my girlfriend I am using OpenSolaris b134 and plan to migrate to Solaris 11 Express later (which will have Crossbow I assume) -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org