Previous | Table of Contents | Next |
Hosting an application on a type enforcement system requires analyzing the application to determine what resources the applications requires. Often the access that an application needs can be reduced to improve security. This step may require modification to the application. The ability to separate applications, to control data flowing through the system, and to divide the application into small steps allows type enforcement to secure applications with the newest features as quickly as possible.
Exhibit 6. Sidewinder Internet Firewall Configuration.
Developed by Secure Computing, Sidewinder is an Internet firewall that has incorporated the LOCK type-enforcement mechanism to provide enhanced security against Internet threats. To maximize compatibility with networks and existing protocols, Sidewinder was created by modifying BSDi UNIX. The Sidewinder is a turnkey system that resides between the Internet router and the internal network, as shown in Exhibit 6.
Traditional UNIX has been described as a hard crunchy exterior surrounding a soft gooey center. This description refers to the structure of UNIX systems, the core of which is an all-powerful root account. Once an attacker gets into the root account, he or she can completely compromise the system. In addition, standard UNIX does not have tight control over how data files are shared among the processes running on a system. Thus, an intruder who manages to break into one area of a system can widen the initial foothold until he or she can gain access to any file on the system. The type enforcement security mechanism closes this vulnerability.
Type enforcement in Sidewinder cannot be bypassed. Even when a process is running as root, it is constrained by type enforcement. If a hacker obtains root access, the hacker is limited to the domain in which he or she started. To compromise Sidewinder, a hacker must bypass both UNIX protection mechanisms and type enforcement, as shown in Exhibit 7. Compromising UNIX is more difficult on Sidewinder, because the type-enforced honeycomb structure places vulnerable configuration files and UNIX tools out of a hackers reach.
Exhibit 7. Protection Provided by Type Enforcement and UNIX.
The goal of the Sidewinder system is to connect an internal network securely to the Internet. Internal users can access Internet services, such as E-mail and the World Wide Web, without exposing the internal network to unauthorized users. In addition to type enforcement, Secure Computing included three other features to make the Sidewinder firewall a more effective security system: two kernels, controlled system calls, and network separation.
Sidewinder does not have the root privilege that is found on standard UNIX systems. To provide a secure method for the system administrator to modify the security-relevant information, Sidewinder uses two kernels:
Operational | Administrative |
---|---|
Uses type-enforced BSDi/386 UNIX; restricted access to system calls. | Uses standard UNIX |
Normal operating state. | Used when performing certain privileged administrative tasks. |
Internet services are available. | Network connections are disabled. |
System is protected by Type Enforcement. | Type Enforcement is disabled. |
Divided into many application domains; each can have its own administration domain. | Divided into standard UNIX domains user and root. |
Administrator access controlled by roles. | Administrator access controlled by file privileges. |
A process access to files is restricted based on DDT. | A process access to files is not restricted. |
Type enforcement provides excellent separation at the file level. However, UNIX has many privileged system calls that allow users to access the kernel directly. Many system vulnerabilities result from malicious users employing system calls to compromise the system. Sidewinder solves this problem with a series of special flags for each domain, which indicate which system calls can be made from that domain. For example, the is_admin flag is set only in domains that can be accessed by the administrator. This control allows the administrator to make system calls that no one else has the authorization to make. Note that these flags are part of the type enforcement information and cannot be modified while the system is running. Even root access will not allow a process to make disallowed calls. Untrusted users or software applications are placed in domains that do not have access to these powerful system calls.
Previous | Table of Contents | Next |