Subject: Re: SE Linux vs SE NetBSD !!
To: None <tech-security@netbsd.org>
From: John Nemeth <jnemeth@victoria.tc.ca>
List: tech-security
Date: 09/02/2006 02:37:57
On Jan 20, 11:21am, "Travis H." wrote:
} On 8/29/06, John Nemeth <jnemeth@victoria.tc.ca> wrote:
} 
} There's lots of cases where the perimeter is breached.  A big one is
} road warrior
} salespeople who bring worms in on their laptops, and Windows users who
} execute malware.

     This is where things like Cisco's NAC (Network Admission Control)
comes into play.  Basically, it prevents machines from connecting to
the network if they aren't running the latest patches, anti-virus, etc.
(whatever you put into your policy).  It can either block the machine
completely or quarantine it in a subnet where it can only get updates.
There may be other products that do similar things, but I'm not aware
of any.

} > Of course, for
} > real security, you shouldn't be using plain NFS.  Also, we don't know
} > when somebody might breach the firewall or the firewall administrator
} > might make a mistake.  Defense in depth and all that.
} 
} All true.
} 
} What options exist apart from NFS and SMB?  I think there was one
} called coda, and AFS, and Linux has sshfs (requires a kernel module on
} the client)... anything else?

     Sun's version of NFS can use secure RPC.  There may be other
options in NFSv3 or NFSv4.  Another thing would be to use IPSec.  Of
course, there is the issue of authenticating users and making sure they
don't try to fake the credentials of a different user.  I think some of
the other options are better for that.

} I'd really like to see a filesystem that exports all the attributes of
} the fs it is
} exporting.  Right now all my files from the NFS server are typed nfs_t, not
} what they are typed as they appear on the file server.  I suppose NFS doesn't
} support either the lsattr kind of attributes, nor the SELinux kind.

     NFS was designed to be OS independent.  There are pros and cons to
this approach.  I believe NFSv4 is designed to handle things like
attributes and subfiles.

     SVr4 had something RFS (remote filesystem) which is specific to
Unix and had the attributes of System V's filesystem.  Apparently, if
you opened a device file on RFS, you would actually be talking to the
device on the remote machine.  This would make it easy to remotely use
a tape drive for example.  Of course, it would be a problem for a
diskless machine.

}-- End of excerpt from "Travis H."