OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archive: Re: Proxy firewall design.

Re: Proxy firewall design.

Bernhard Schneck (Bernhard_Schneckgenua.de)
Wed, 11 Mar 1998 11:11:32 +0100

In message <199803101214.XAA14551soy.cyber.com.au> you write:
> A common theme amongst proxy firewalls running on Unix is to limit the
> exposure through use of chroot. How many of these segregate it further
> such that (say) the smtp proxy uses /fw/smtp, ftp uses /fw/ftp, etc ?
> I'm aware of chrooting used for WWW & mail, but I can't see why you
> wouldn't use it for all of them. For example, FWTK 2.0 doesn't support
> chroot for plug-gw or x-gw but it does for all the others. Of course,
> you might even chroot to /fw first, before running any of your proxies...

In our firewall, we
* chroot for each possibly hostile interface (/cage/ef0, /cage/ef1, ...)
* chroot even further for ``dangerous'' services (mail, ssh, www, ...)

tcp-relay (similar to plug-gw) doesn't do any file I/O (and we hope
it doesn't have any buffer overflows), so chrooting further won't help
that much.

I hope the ``chroot escape hole'' is fixed (as discussed here a few
weeks ago).

Of course, chrooting only restricts file access and nothing else, so
several additional topics need to be adressed, too.

\Bernhard.

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:10:40 CDT