> I don't see this particular paradigm suiting character streams such as
> TELNET or rlogin, for example, very well; they require continual flow
> of data rather than store-process-forward.
You have to run a shadow session in your captive simulators
and watch 'em for policy violations.
> The filters implied by using a virtual machine are far from trivial,
> requiring an idea of what correct output (or safe output) is, given that
> you can immitate all possible inputs, and possible combinations thereof
> which can have adverse effect.
If it was easy, everyone would be doing it!
This gets back to one of mjr's regular issues, 'what is your model
for security', which really nobody can answer with anything very strong.
The basic security model, as far as I can tell, is 'we looked for wires
and clocks, and then we shook it pretty hard, and it didn't make a
tremendous bang, so it's probably ok.' The primary distinctions are in
how bomb-proof the shaking-barrel was. Sometimes the shaking step is
eliminated, and sometimes the search for wires&clocks is eliminated.
This is a fairly lame model, when you get right down to it. It is
essentially useless against data driven attacks (I lump viruses of
various sorts in here, because they are at least transported as data).
Since data driven attacks have always been, by a wide margin, the most
serious problem, modern firewall design is flawed. The 'modern' firewall
is a device designed to block out a small subset of a high-profile
but minor class of problems in data integrity.