Mandatory Access Control Networking Update - Netonf 2006 Tokyo

581 views

Published on

"Mandatory Access Control Networking Update", presentation given at Netconf 2006 in Tokyo, with an update on Labeled Networking and other MAC features.

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
581
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
8
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Mandatory Access Control Networking Update - Netonf 2006 Tokyo

  1. 1. Mandatory Access Control Networking Update Netconf 2006 Tokyo James Morris jmorris@namei.org    
  2. 2. MAC Networking ● Applying Mandatory Access Control (MAC) security to networking: 1) Local communications ● Unix Domain ● Netlink etc. 2) Local labeling of network packets & objects ● Packet filtering 3) Distributed MAC ● Labeled networking    
  3. 3. Status – since last year ● SELinux packet filtering controls have been re- implemented with Secmark: – Utilizes IPTables, conntrack etc. – Separates labeling and enforcement – Much more powerful & flexible – Policy is greatly simplified    
  4. 4. Status (cont'd) ● Native IPSec/xfrm labeling extended by TCS to provide full support for LSPP (used to be B1) certification. – Implements Multilevel Security (MLS), but is generic.    
  5. 5. Status (cont'd) ● Support for legacy MLS networking added by HP (“N etlabel” ): – CIPSO ­    case 0x86: /* Another "Commercial Security" crap. */ +    case IPOPT_CIPSO: – RIPSO and others possible ● Provides interoperability with legacy MLS systems such as Trusted Solaris. ● Argus also porting their CIPSO implementation.    
  6. 6. Futures ● Consolidation of labeling schemes (TCS has posted patches), so they all work well together. ● Complete LSPP/EAL4+ certification with RHEL5, which will include SELinux and native labeled networking. ● Look for ways to make labeled networking more generally useful (using Type Enforcement) – Example: protected paths between web server and database server processes.    
  7. 7. Conclusions ● While immediately most useful to government & military users, the MAC networking frameworks have been implemented generically. ● These features are unprecedented in a general purpose OS. ● Linux now has perhaps the richest network security feature set ever.    

×