Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Will user mode Linux add security to firewalls?

By Gorgonzola in Technology
Wed Dec 06, 2000 at 01:46:55 PM EST
Tags: Security (all tags)
Security

One of the tenets of building not too insecure networks is 'less is more', which implies that the less services you are running on a particular server, the more secure it will be. One of the implications is that firewalls should be on separate servers. My question is: will UML (User Mode Linux) provide the additional separation needed to justify having a firewall which isn't dedicated to firewalling alone?


One of the interesting features of the upcoming 2.4 kernel is user mode Linux. This will enable Linux users to run a complete kernel in user space as if it has its own virtual machine. This sounds neat on paper. Since I am planning to build a router/firewall for an ADSL connection I was wondering whether running the firewall inside UML (User Mode Linux) would add enough security to justify running Samba and other services intended for the machines behind the firewall on the same physical machine. The intendend server would of course have additional security in the form of LIDS (Linux Intrusion Detection System), TripWire and PortSentry. Would such a setup be secure enough or should I still stick to a router/firewall on a phycially different machine?

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o Also by Gorgonzola


Display: Sort:
Will user mode Linux add security to firewalls? | 11 comments (11 topical, editorial, 0 hidden)
Firewall outside, other services inside (3.66 / 3) (#1)
by Michael Leuchtenburg on Wed Dec 06, 2000 at 11:31:51 AM EST

Well, I'm not sure how UML is implemented, but if it gives you a virtual network connection between the main kernel and the UM kernel, then it should be fine to run other services with the UML than you wouldn't put raw on a firewall.

However, the UML should have an entirely seperate environment. The only thing it shares with the main kernel is physical stuff. No sharing of partitions. Then if your UML gets comprimised, the firewall itself could be comprimised through file writes (to, say, shadow, or passwd).

I, for one, would probably go with a seperate firewall, if only to avoid the (assumed) performance hit of UML, and because it's simpler and less easy to screw up. Plus, it means that if the firewall dies, internal services aren't lost.

[ #k5: dyfrgi ]
[ TINK5C ]

Fragility of services inside (3.00 / 1) (#3)
by Gorgonzola on Wed Dec 06, 2000 at 12:04:16 PM EST

Well, the idea of UML is that even if the virtual machine dies, it won't take down the rest of the machine where it is running in. It is just kernel running in user space on top of a 'normal' kernel.
--
A page a day keeps ignorance of our cultural past away, or you can do your bit for collaborative media even if you haven't anything new or insightful to say.

[ Parent ]
if using UML for firewall, then it sould be in UML (3.50 / 2) (#4)
by hany on Wed Dec 06, 2000 at 12:26:11 PM EST

If using UML for firewall, then it should be in UML (i.e. exact opposite of your statement) IMO.

As Gorgonzola writes: "Well, the idea of UML is that even if the virtual machine dies, it won't take down the rest of the machine where it is running in. It is just kernel running in user space on top of a 'normal' kernel."
Thus if someone break into your firewall which is real level0, it can intrude every service in every UML.

But if someone break into firewall in UML, it is "root" only in that UML and should not be able to cross to "parent" (real level0) kernel environment. Except "common" holes throuhg network connection between LMU firewall and lvel0 kernel which is almost same as break into separate firewall and from it cracking machines in private network :) .


hany


[ Parent ]
if using UML for firewall, then it sould be in UML (4.00 / 2) (#5)
by Gorgonzola on Wed Dec 06, 2000 at 12:45:34 PM EST

That is correct. The design would be to have a firewall running on top of the UML kernel with the untrusted ethernet device mapped to it. A trusted virtual ethernet device would connect it back to the inside world. The theoretical advantage would be that an intruder gaining root privileges still wouldn't have more than user privileges on the host kernel. I am looking for flaws in this design, which I presume do exist.
--
A page a day keeps ignorance of our cultural past away, or you can do your bit for collaborative media even if you haven't anything new or insightful to say.

[ Parent ]
Addendum: URL to UML homepage (4.18 / 11) (#2)
by Gorgonzola on Wed Dec 06, 2000 at 11:46:32 AM EST

Jump before you leap. I should have included the URL to the user mode Linux homepage to give people an idea what it is all about. Here it is: UML. My apologies for any inconvenience caused.
--
A page a day keeps ignorance of our cultural past away, or you can do your bit for collaborative media even if you haven't anything new or insightful to say.

(offtopic) namespace collision : UML (2.00 / 4) (#6)
by Speare on Wed Dec 06, 2000 at 12:47:49 PM EST

This is a bit off-topic, and I admit I don't have a great solution to the problem, but I hate it when abbreviations or trademarks collide, seemingly needlessly.

    "Eh, the old DIVX is gone, let's call this new thing DivX. Sure, they're both about digital video, but otherwise, they're night and day. Nobody'll get confused!"

    "Hey, we can name our cool new thing User Mode Linux, and abbreviate it UML. Of course, those academic and corporate geeks will read UML as 'Unified Modeling Language,' but who cares about them? Life's a booch."

Three letters, 17576 permutations. More letters, more permutations. We don't even need to go to punctuation like :CueCat to differentiate ourselves.


[ e d @ h a l l e y . c c ]
Not DivX... (3.00 / 2) (#9)
by sinclair on Thu Dec 07, 2000 at 04:45:47 AM EST

The real name of the video codec is "DivX ;-)".

[ Parent ]
And how do you pronounce ";-)", anyway? (none / 0) (#10)
by TrentC on Thu Dec 07, 2000 at 08:42:22 PM EST

When I look at it on a page, I never connect the smiley with the name. And it sounds like I'm not the only one.

Jay (=



[ Parent ]
Um... (3.00 / 3) (#7)
by pb on Wed Dec 06, 2000 at 12:58:44 PM EST

Last I saw, User-Mode Linux looked pretty experimental. It looks like a neat idea, so maybe I'll play around with it sometime. However, I don't think it's going to make it into the 2.4.x releases. I'm sure you could patch it in yourself, if that's what you meant.

However, for a server, I think I'll stick to a 2.2.x kernel, Bastille, the Open Wall security patches, and chroot (which provides most of the needed functionality w.r.t securing a service). Once everything else moves to 2.4.x, we'll see how cool User-Mode Linux is. :)
---
"See what the drooling, ravening, flesh-eating hordes^W^W^W^WKuro5hin.org readers have to say."
-- pwhysall

Firewalls using free software (2.72 / 11) (#8)
by trhurler on Wed Dec 06, 2000 at 01:13:34 PM EST

Until Linux has a stateful firewall implementation that is reasonably well audited by -good- programmers and has had some time to shake out any unforeseen glitches, building a firewall with it is sort of like buying a brand new model from a Korean automaker: it might be a great value, and it might break down on you the day after you buy it - you just don't know. UML isn't going to change that, except to make it even worse by throwing in even more new code that can contain security problems and other bugs. This is a popular misconception: adding new code makes a thing less secure, not moreso, because the number of bugs per line is a fairly well fixed number, and in security-relevant code such as UML on a firewall, those bugs are likely to be security bugs.

If you insist on running a Linux firewall, start with something like slackware, strip off EVERYTHING you don't need, don't run ANY services except possibly ssh on it(and make sure you keep that patched if you use it,) and for crying out loud, READ the documentation for the firewall tool. Oh, and use a 2.2 kernel unless you want an intrusion into your network to prompt you to file a bug report for a newer one.

If, on the other hand, your desire is simply to use free software, then keep linux on your desktop if you like it, and go get OpenBSD for your firewall. You can download it, or they sell CDs at reasonable prices, which support the project's ongoing development. OpenBSD is by far the most secure general purpose Unixish operating system available to the public at any price, and configuring it to be a secure firewall is quite easy. As their webpage says, no remote holes in over three years, and that's with an install that includes services you don't need for a firewall:) Also, you can run it reasonably on a 486 for firewall purposes as long as your connection isn't going to be too much faster than, say, a DSL line.

--
'God dammit, your posts make me hard.' --LilDebbie

Yes.. but.. (none / 0) (#11)
by mindstrm_2 on Fri Dec 08, 2000 at 12:59:40 AM EST

In theory, yes, running the firewall in UML would be better than running all services in a single standard kernel.

But that's doesn't mean it's a good idea. First, there will be a performance penalty unless I"m horribly mistaken. We're talking about a kernel running as a task, right?

Also, and I'm expanding on what you mean by 'firewall' here, if the intent is to firewall a network, this is the wrong approach. The firewall hardware itself should be a s simple and straightforward as possible. Linux is merely one tool you might use to build such a beast. A firewall should be a small box, with very little on it.

If the intent is to simply provide some filtering for your computer, this may not be a bad idea, if the performance is there.

I wonder, though.. I've never had a firewall compromised, and it's very very simple to build a good firewall. Just don't open up external services. You will be in the same boat with yours.. if external services are passed through, you may compromise your internal hosts (your main OS). If not, it wouldn't have mattered in the first place)


Will user mode Linux add security to firewalls? | 11 comments (11 topical, 0 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!