The VV, as shipped is a stand-alone Web server. You don't have to
connect it across your Firewall, but you don't get the secure access
to internal systems if you don't.
The Web server in the Outside compartment communicates with the CGI
programs on the Inside through a trusted gateway program. This program
has special privileges which allows it to communicate with the other
compartment.
Someone breaking out of your Web server will find themselves in the
Outside compartment unable to do anything other that read the HTML
content (They can't even change it). Because this is a B2 system,
gaining root access doesn't buy them anything either. They could
probably run the CGI in the Inside compartment, but this authenticates
the connections from the Outside compartment and thus this still
hasn't bought an attacker anything.
You could have the Inside compartment connected to the DMZ and still
have to get through a Firewall but this is not necessary, and just
complicates things. The normal solution is to have the VV in parallel
with the firewall. SMTP and outgoing connections use the Firewall, but
incoming HTTP uses the VV. The CGI you create in the Inside
compartment (No special programming required) has direct access to
your internal systems and can do SQL or whatever. The output from
these programs is passed back through to the Outside compartment via
the Trusted Gateway Agent.
The only problem with VV is the cost. I think we are talking $50,000
or so. You could easily just buy CMW at around $4,000 and set the same
thing up yourself, but you would need to write the TGA yourself. Not
complicated, but you need someone with trusted systems programming
experience.
Steve
______________________________ Reply Separator _________________________________
Subject: Re: What is Virtual Vault?
Author: root (root @
cerberus .
kempster .
net) at internet-mime
Date: 3/6/97 11:08 AM
On 06-Mar-97 steve .
gailey @
nomura .
co .
uk wrote:
> Virtual Vault is a Netscape Web Server running on HP's CMW
> (Compartmented mode workstation) OS. The CMW is a B2 trusted version
> of their HP-UX 10 UNIX OS.
>
> The machine is compartmented to produce an outside and an inside
> compartement. If you know about B2 you will understand the advantages
> of this scheme for any system which needs to run as a Web server but
> also needs access to internal systems.
>
> The VV does NOT replace a Firewall. You will still need a Firewall for
> all your outgoing services. But you connect the VV across your
> Firewall and run you CGI from the Inside VV compartment, with the Web
> server itself running in the outside compartment.
>
> I have worked with the VV. I am impressed. It is still a little raw,
> that is to say you still need B" knowledge to properly configure the
> thing, but I don't know why all external Web servers aren't
> implemented this way.
Is the VV something you can install on the outside of a proxy server
like Gauntlet or does the VV have to have a direct pipe to your internal
network from its' inside VV compartment?
>
> Steve Gailey
> Metronome Solutions Ltd.
> steveg @
metrosol .
demon .
co .
uk
> Tel. +44 1892 542 407 Fax. +44 1892 527 873
>
>
>______________________________ Reply Separator ________________________________
_
>Subject: What is Virtual Vault?
>Author: firewalls-owner (firewalls-owner @
GreatCircle .
COM) at internet-mime
>Date: 3/6/97 1:55 AM
>
>
>In the newspaper I read an article, that "virtual vault" is better than a firew
a
>ll.
>
>What is it, and why does HP believe, that their product is better than a firewa
l
>l?
>
>.... for more information use:
>
>* http://www.trace.com.tw * gopher://gopher.trace.com.tw
>* ftp://ftp.trace.com.tw * telnet://bbs.trace.com.tw
>* sticky: Ronald gate.trace.com.tw (the very fast way to reach me)
>* finger (ronald @
trace .
com .
tw) for more info (address,pgp key, .....)
>* for talk, P2P, InterCom (picture phone) ronald @
gate .
trace .
com .
tw
>* Tel: +886 2 609-0652, Fax: +886 2 600-0132, NET: +886 2 600-2318
>
>
>
>Ronald Wiplinger [Taipei, 24h online]
>
-----------------------------------------
Ken Kempster Network Systems Engineer
E-Mail: Ken Kempster <kempster @
pop .
net>
Date: 06-Mar-97
Time: 07:08:31
-----------------------------------------
References:
|
|
