Netconf 2006 Tokyo Paul Moore

Slides:



Advertisements
Similar presentations
Florida State UniversityCOP Advanced Unix Programming Raw Sockets Datalink Access Chapters 25, 26.
Advertisements

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.1 Firewalls.
OFED TCP Port Mapper Proposal June 15, Overview Current NE020 Linux OFED driver uses host TCP/IP stack MAC and IP address for RDMA connections Hardware.
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
Chapter 9 Building a Secure Operating System for Linux.
1 Access Lists. 2 Introduction ACL (access list)  a list of conditions that categorize packets. Rules:  Sequential order.  Until a match is made. 
1 Network Packet Generator Characterization presentation Supervisor: Mony Orbach Presenting: Eugeney Ryzhyk, Igor Brevdo.
Students:Gilad Goldman Lior Kamran Supervisor:Mony Orbach Mid-Semester Presentation Spring 2005 Network Sniffer.
Optical Ring Networks Research over MAC protocols for optical ring networks with packet switching. MAC protocols divide the ring bandwidth according to.
Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.
Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.
ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.
(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,
Network based IP VPN Architecture using Virtual Routers Jessica Yu CoSine Communications, Inc. Feb. 19 th, 2001.
© 2005,2006 NeoAccel Inc. Training Access Modes. © 2005,2006 NeoAccel Inc. Agenda 2. Access Terminals 6. Quick Access Terminal Client 3. SSL VPN-Plus.
Security-Enhanced Linux & Linux Security Module The George Washington University CS297 Programming Language & Security YU-HAO HU.
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
Windows 7 Firewall.
Access Control List (ACL)
1.4 Open source implement. Open source implement Open vs. Closed Software Architecture in Linux Systems Linux Kernel Clients and Daemon Servers Interface.
An initial study on Multi Path Routing Over Multiple Devices in Linux 2.4.x kernel Towards CS522 term project By Syama Sundar Kosuri.
Packet Capture and Analysis: An Introduction to Wireshark 1.
Module 5: Designing Security for Internal Networks.
Linux Implementation of the TRILL protocol Syed Mohsin Kazmi, Mohsin Sardar, Syed Ali Khayam School of EECS National University of Sciences & Technology.
Module 1: Configuring Routing by Using Routing and Remote Access.
Internet Security and Firewall Design Chapter 32.
Module 7: Implementing Security Using Group Policy.
1 Lecture 13 IPsec Internet Protocol Security CIS CIS 5357 Network Security.
1.4 Open source implement. Open source implement Open vs. Closed Software Architecture in Linux Systems Linux Kernel Clients and Daemon Servers Interface.
1 Linux Security Module: General Security Support for the Linux Kernel Presented by Chao-Sheng Lin 2005/11/1.
Virtio-IPsec-LA PoC Implementation
Firewall Technology and InterCell Communication Peter T. Dinsmore Trusted Information Systems Network Associates Inc 3060 Washington Rd (Rt. 97) Glenwood,
Software implementation of the Signaling protocol Cusnir Pablo & Schetrit Guy. Supervisor: Dan Gluskin. December 2000 Spring 2000 Mid semester presentation.
Slide 1 2/22/2016 Policy-Based Management With SNMP SNMPCONF Working Group - Interim Meeting May 2000 Jon Saperia.
Module 8 Implementing Security Using Group Policy.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
Security-Enhanced Linux Stephanie Stelling Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK
By Daniel Grim. What Is Windows NT? IPSEC/Windows Firewall NTFS File System Registry Permissions Managing User Accounts Conclusion Outline.
Java’s networking capabilities are declared by the classes and interfaces of package java.net, through which Java offers stream-based communications that.
Lecture 10 Page 1 CS 236 Online Encryption and Network Security Cryptography is widely used to protect networks Relies on encryption algorithms and protocols.
SELinux Overview Dan Walsh SELinux for Dummies Dan Walsh
LISA Linux Switching Appliance Radu Rendec Ioan Nicu Octavian Purdila Universitatea Politehnica Bucuresti 5 th RoEduNet International Conference.
Chapter TCP/IP in the Windows Environment © N. Ganesan, Ph.D., All rights reserved.
SE Linux Implementation Russell Coker. What is SE Linux? A system for Mandatory Access Control (MAC) based on the Linux Security Modules (LSM) framework.
Managing and Directing Network Traffic with Linux
Multi-layer software defined networking in GÉANT
Bound End-to-End Tunnel mode for ESP InfraHIP Diego Beltrami
ISDN Dial-on-Demand Routing using Dialer Profiles.
Instructor Materials Chapter 6: VLANs
Encryption and Network Security
LWIP TCP/IP Stack 김백규.
IT443 – Network Security Administration Instructor: Bo Sheng
Chapter 5: Threads Overview Multithreading Models Threading Issues
Nadeem MajeedChoudhary.
TLS Receive Side Crypto Offload to NIC
IS3440 Linux Security Unit 6 Using Layered Security for Access Control
Routing and Switching Essentials v6.0
* Essential Network Security Book Slides.
Firewalls Purpose of a Firewall Characteristic of a firewall
OPERATING SYSTEMS Threads
Chapter 4: Threads.
POOJA Programmer, CSE Department
IP-Spoofing and Source Routing Connections
دیواره ی آتش.
Chapter 4: Threads.
Chapter 4: Threads.
Chapter 5: Threads Overview Multithreading Models Threading Issues
Chapter 4: Threads.
Chapter 4: Threads.
Presentation transcript:

Netconf 2006 Tokyo Paul Moore paul.moore@hp.com NetLabel Netconf 2006 Tokyo Paul Moore paul.moore@hp.com

Agenda Introduction Design goals Architectural overview Initial implementation SELinux support Future ideas

Introduction Growing number of Trusted OS users want to shift from legacy Trusted OSes to Linux Requires labeling of all user generated traffic Requires interoperability with legacy labeling protocols Wants labels that are understandable on the wire Unfortunately the IPsec SA labeling mechanism does not satisfy all of these requirements

Design Goals Protocols must be supported by existing Trusted OSes CIPSO, RIPSO, TSIX/MAXSIX Implementation must be well contained Use existing LSM hooks and data structures Performance impact must be minimal Zero impact when not enabled at compilation Minimal impact when enabled but not configured

Architectural Overview Utilize existing SKB receive and socket syscall LSM hooks Outbound packets are labeled by adding an IP option to the socket Inbound packet IP options are parsed/validated as part of normal option processing Access control handled in the LSM Management is handled through the Generic Netlink interface Implementation is LSM agnostic

Initial Implementation Provides minimal CIPSO support Limited to labeling packets with the MLS label Configuration parameters not explicitly supported Implementation is limited to MUST support Supports multiple CIPSO DOIs and unlabeled traffic Type of outbound labeling can be defined on a per-LSM-domain basis No requirements are placed on the CIPSO DOIs used for incoming traffic

SELinux Support Sockets are assigned IP options/labels based on their context If unable to set the IP option then socket creation is denied or writes are not allowed Sockets created by incoming connections are labeled according to the connection New context is a combination of the parent socket’s SELinux context and the connection’s MLS label Context of incoming traffic is generated similar to incoming TCP connections

Future Ideas Provide better CIPSO support The remaining tag types CIPSO/IPv6 as used by Trusted Solaris Investigate support for other labeling protocols such as RIPSO, TSIX/MAXSIX Implement support for sending full SELinux contexts General improvements, etc

More Information Kernel patches in net-2.6.19 SourceForge project started to hold userspace utilities http://netlabel.sf.net

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.