Presentation is loading. Please wait.

Presentation is loading. Please wait.

Netconf 2006 Tokyo Paul Moore

Published byNoel Chandler Modified over 5 years ago

Similar presentations

Presentation on theme: "Netconf 2006 Tokyo Paul Moore"— Presentation transcript:

1 Netconf 2006 Tokyo Paul Moore paul.moore@hp.com
NetLabel Netconf 2006 Tokyo Paul Moore

2 Agenda Introduction Design goals Architectural overview
Initial implementation SELinux support Future ideas

3 Introduction Growing number of Trusted OS users want to shift from legacy Trusted OSes to Linux Requires labeling of all user generated traffic Requires interoperability with legacy labeling protocols Wants labels that are understandable on the wire Unfortunately the IPsec SA labeling mechanism does not satisfy all of these requirements

4 Design Goals Protocols must be supported by existing Trusted OSes
CIPSO, RIPSO, TSIX/MAXSIX Implementation must be well contained Use existing LSM hooks and data structures Performance impact must be minimal Zero impact when not enabled at compilation Minimal impact when enabled but not configured

5 Architectural Overview
Utilize existing SKB receive and socket syscall LSM hooks Outbound packets are labeled by adding an IP option to the socket Inbound packet IP options are parsed/validated as part of normal option processing Access control handled in the LSM Management is handled through the Generic Netlink interface Implementation is LSM agnostic

6 Initial Implementation
Provides minimal CIPSO support Limited to labeling packets with the MLS label Configuration parameters not explicitly supported Implementation is limited to MUST support Supports multiple CIPSO DOIs and unlabeled traffic Type of outbound labeling can be defined on a per-LSM-domain basis No requirements are placed on the CIPSO DOIs used for incoming traffic

7 SELinux Support Sockets are assigned IP options/labels based on their context If unable to set the IP option then socket creation is denied or writes are not allowed Sockets created by incoming connections are labeled according to the connection New context is a combination of the parent socket’s SELinux context and the connection’s MLS label Context of incoming traffic is generated similar to incoming TCP connections

8 Future Ideas Provide better CIPSO support The remaining tag types
CIPSO/IPv6 as used by Trusted Solaris Investigate support for other labeling protocols such as RIPSO, TSIX/MAXSIX Implement support for sending full SELinux contexts General improvements, etc

9 More Information Kernel patches in net-2.6.19
SourceForge project started to hold userspace utilities

Download ppt "Netconf 2006 Tokyo Paul Moore"

Similar presentations

Florida State UniversityCOP5570 - Advanced Unix Programming Raw Sockets Datalink Access Chapters 25, 26.

Florida State UniversityCOP Advanced Unix Programming Raw Sockets Datalink Access Chapters 25, 26.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.1 Firewalls.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.1 Firewalls.
OFED TCP Port Mapper Proposal June 15, 2011. Overview Current NE020 Linux OFED driver uses host TCP/IP stack MAC and IP address for RDMA connections Hardware.

OFED TCP Port Mapper Proposal June 15, Overview Current NE020 Linux OFED driver uses host TCP/IP stack MAC and IP address for RDMA connections Hardware.
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206) 217-7048

Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
Chapter 9 Building a Secure Operating System for Linux.

Chapter 9 Building a Secure Operating System for Linux.
1 Access Lists. 2 Introduction ACL (access list)  a list of conditions that categorize packets. Rules:  Sequential order.  Until a match is made. 

1 Access Lists. 2 Introduction ACL (access list)  a list of conditions that categorize packets. Rules:  Sequential order.  Until a match is made. 
1 Network Packet Generator Characterization presentation Supervisor: Mony Orbach Presenting: Eugeney Ryzhyk, Igor Brevdo.

1 Network Packet Generator Characterization presentation Supervisor: Mony Orbach Presenting: Eugeney Ryzhyk, Igor Brevdo.
Students:Gilad Goldman Lior Kamran Supervisor:Mony Orbach Mid-Semester Presentation Spring 2005 Network Sniffer.

Students:Gilad Goldman Lior Kamran Supervisor:Mony Orbach Mid-Semester Presentation Spring 2005 Network Sniffer.
Optical Ring Networks Research over MAC protocols for optical ring networks with packet switching. MAC protocols divide the ring bandwidth according to.

Optical Ring Networks Research over MAC protocols for optical ring networks with packet switching. MAC protocols divide the ring bandwidth according to.
Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.

Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.
Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.

Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.
ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.

ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.
(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,

(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,
Network based IP VPN Architecture using Virtual Routers Jessica Yu CoSine Communications, Inc. Feb. 19 th, 2001.

Network based IP VPN Architecture using Virtual Routers Jessica Yu CoSine Communications, Inc. Feb. 19 th, 2001.
© 2005,2006 NeoAccel Inc. Training Access Modes. © 2005,2006 NeoAccel Inc. Agenda 2. Access Terminals 6. Quick Access Terminal Client 3. SSL VPN-Plus.

© 2005,2006 NeoAccel Inc. Training Access Modes. © 2005,2006 NeoAccel Inc. Agenda 2. Access Terminals 6. Quick Access Terminal Client 3. SSL VPN-Plus.
Security-Enhanced Linux & Linux Security Module The George Washington University CS297 Programming Language & Security YU-HAO HU.

Security-Enhanced Linux & Linux Security Module The George Washington University CS297 Programming Language & Security YU-HAO HU.
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
Windows 7 Firewall.

Windows 7 Firewall.
Access Control List (ACL)

Access Control List (ACL)
1.4 Open source implement. Open source implement Open vs. Closed Software Architecture in Linux Systems Linux Kernel Clients and Daemon Servers Interface.

1.4 Open source implement. Open source implement Open vs. Closed Software Architecture in Linux Systems Linux Kernel Clients and Daemon Servers Interface.

Similar presentations

Ads by Google