OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archive: Re: Here is my plan for firewall implement

Re: Here is my plan for firewall implementation

Joseph S. D. Yao (jsdycospo.osis.gov)
Mon, 22 Sep 1997 12:01:57 -0400 (EDT)

> These days I'd use qmail (Dan Bernstein's minimalist
> mailer) or sendmail running on a hacked kernel in a
> restricted environment. Smap was intended to be a
> place for hooking additional mail processing into a
> firewall, but nothing ever got hung on the hooks.

Well, a few things here and there.

> Another fun fix I'd like to see on firewall boxes (but
> this takes more kernel expertise than I have) is
> modifications to the memory management to make
> stack space protected so it's not executable. When
> someone tries to hit a buffer overrun, *poof* instant
> SIGSEGV.

This is an entirely reasonable and logical thing to be able to want to
do. It's also quite easy, given hardware support.

Of the hardware architectures I just glanced at, it appears that the
Alpha and HP-PA allow this, the x86 and MIPS and possibly the Sparc do
not. Software implementations slow the system down, unforgivable to
the Marketing departments [;-)]. It's possible/probable that hardware
implementations also slow the system down by a nanosecond or two per
command, and cost $0.02 more per chip, and so were nixed. ;-)/2 

--
Joe Yao				jsdycospo.osis.gov - Joseph S. D. Yao
COSPO Computer Support						EMT-A/B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:08:58 CDT