Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NFR Wizards> 1997

NFR Wizards Archive: Re: Here is my plan for firewall implement

Re: Here is my plan for firewall implementation

Craig Brozefsky (craigonshore.com)
Sun, 21 Sep 1997 17:59:20 -0500

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Adept: "NCSA's RECON Service"
Previous message: Joseph S. D. Yao: "Re: Here is my plan for firewall implementation"
In reply to: Marcus J. Ranum: "Re: Here is my plan for firewall implementation"
Next in thread: Adept: "NCSA's RECON Service"

On Sun, 21 Sep 1997, Marcus J. Ranum wrote:

> These days I'd use qmail (Dan Bernstein's minimalist
> mailer) or sendmail running on a hacked kernel in a
> restricted environment. Smap was intended to be a
> place for hooking additional mail processing into a
> firewall, but nothing ever got hung on the hooks.

We hooked some stuff into it for a client once who needed to be able to
approve certain classes of email messages in order to comply with some
federal regulations in their industry.

> By sendmail on a hacked kernel I'm talking about
> things like running sendmail chrooted w/o privs and
> a configuration that doesn't have sendmail calling
> external mailers. Then all it has to do is fork itself
> off - at that point you can jigger the kernel to allow
> a specific UID (under which mail runs) to chroot,
> but you check so a chroot cannot be performed
> twice.* Also, wire the kernel so that the mail UID
> cannot call any of the exec( ) family.

Or you just run qmail. I like to stay away from such specific kernel
mods when trying to make up for security shortcomings in userspace code.

> Another fun fix I'd like to see on firewall boxes (but
> this takes more kernel expertise than I have) is
> modifications to the memory management to make
> stack space protected so it's not executable. When
> someone tries to hit a buffer overrun, *poof* instant
> SIGSEGV.

That is assuming the buffer overrun is a stack variable. Solar Designer,
who released a patch to Linux which did such modifications as mark the
stack as non-executable (with exceptions for certain things which happen
during the normal course of execution, such as trampolining signal
handlers), also recently released some very pretty code which doesn't
bother with the stack, but rather overwrites some heap memory.

There is also a patch for Saolaris which does the same thing. I am not
positive but I bet there are BSD patches for it too.

Craig Brozefsky craigonshore.com
onShore Inc. http://www.onshore.com/~craig
Development Team p_priority=PFUN+(p_work/4)+(2*p_cash)
I hear my inside, the mechanized hum of another world - Steely Dan

Next message: Adept: "NCSA's RECON Service"
Previous message: Joseph S. D. Yao: "Re: Here is my plan for firewall implementation"
In reply to: Marcus J. Ranum: "Re: Here is my plan for firewall implementation"
Next in thread: Adept: "NCSA's RECON Service"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:08:58 CDT