There has been some discussion of putting a web site on read-only
media to protect it against attack, with the drawback being that
updating the web site becomes tedious.
Three solutions have been proposed: 1) using the immutable bit (for
BSD only), 2) using CDROM, and 3) using READ-ONLY file systems.
There is another solution that is being used by some sites, namely
using mandatory access control (MAC) security.
Here's what we have done for customers:
The web server has two network connections, but has IP forwarding
disabled. Processes coming in from one network see all file systems
as read-only (making /tmp RO is an option), and there is no mechanism
for bypassing that, even if the process is root. All device special
files are complete inaccessible to all processes and all users -- also
mknod(2) is disabled. If a user comes in from the other network,
he/she can access the system normally, except that UID 0 (root) is
treated as a normal account in terms of OS privilege, so attacks from
this direction are also more tightly controlled (special programs
are provided to manage the system instead of using a special account
such as root).
+------------+
<-------------->| Secured |<-------------->
internal network | Web Site | Internet/PublicNet
(RW file systems) +------------+ (RO file systems)
When a Solaris host (x86 or SPARC) has been updated with this level
of security, you can still use the r* commands, telnet, ftp, and
even NFS from either side. You can have the RO restriction be done
on a per-file basis as well, so you can be creative about your setup.
BTW, I've seen a number of heated messages about the usefulness of
Orange Book security in relation to the "real world". The above is
an example of Orange Book security available on a late-release OS
(Solaris 2.4 and Solaris 2.5.1), evaluated to B1 and C2 (the C2 is
quite enhanced from the minimum requirements mentioned in the TCSEC),
with Solaris 2.6 planned for summer (it should finish its evaluation
by the end of the year as well).
There IS a lot of Orange Book trash on the market -- stuff that is
old, hard to use, and of questionable usefulness in the real world.
But it IS possible to build state-of-the-art, flexible, feature-rich,
affordable, evaluated systems. Other companies have also built
trusted systems, and users of those systems can comment on their
experiences. The old IBM/TIS Trusted Xenix is a very bad example
of a trusted system. It reflects the state of technology in the
late 1980's, not a modern system.
I agree that if a box is a pure firewall, with no services of any
kind being offered, then the addition of B-level security is of
minor (but not zero) importance. The instant the firewall system
is accessible directly, for example as a web site or for admin
purposes, B-level security can be extremely powerful.
paul
------------------------------------------------------------
Paul McNabb Argus Systems Group, Inc.
Vice President and CTO 1405A East Florida Avenue
mcnabb @
argus .
cu-online .
com Urbana, IL 61801 USA
TEL 217-384-6300
FAX 217-384-6404 "Securing the Future"
------------------------------------------------------------
Follow-Ups:
|
|
