Re: LSM for packet filtering

From: Jesse Pollard (pollardat_private)
Date: Wed Aug 14 2002 - 05:59:50 PDT

  • Next message: Brett Clark: "Re: New patch for sock security"

    ---------  Received message begins Here  ---------
    
    > 
    > I apologize for providing little information in my
    > question and before I ask the next question I thought
    > I will read through the docs. Now LSM makes a little
    > sense to me :-). I will try my best to ask the same
    > question in another way.
    > 
    > Consider a linux router. I want to implement certain
    > packet classification and filtering algorithms for the
    > packets coming in on an interface and leaving from
    > another interface. These packet algorithms can be as
    > simple as classifying the incoming traffic into
    > mail-traffic or web-traffic etc and filtering them
    > based on certain policies or any other complex
    > algorithm. I can use Netfilter hooks to recieve
    > packets and implement any such algorithms (which may
    > be straight forward). 
    > 
    > >From the docs I understand that "LSM allows modules to
    > mediate access to kernel objects by placing hooks in
    > the kernel code just ahead of the access", and as a
    > part of the IPv4 networking hooks Netfilter API is
    > used for intercepting  packets as they traverse the IP
    > layer. At each Netfilter hook, LSM hook is called
    > before and after packets are passed to the Netfilter
    > framework. 
    > 
    > So what kind of acess control does LSM envision? (what
    > can preroute_first or preroute_last etc. do?)
    
    LSM is designed for security controls. In a network I would
    want it to be able to:
    
    1. determine if security labels are present on incoming packets
    2. make authorization decisions based on those labels
    3. translate remote labels to local labels to maintain the security
       assignments on the data being passed
    4. potentially verify the identity of the sender
    5. block packets that do not meet the required security
       specifications (for example, do not pass unlabeled data to a
       host that is designated as requiring labels..., do not pass
       labeled data to a network that is not authorized for that
       label...)
    
    All of this depends on what kind of security model is provided.
    Most of the network hooks look to be preparing for an IPSec
    capable module - which to my knowlege, hasn't been written
    yet.
    
    > Can this access control be based on the header field
    > values of the IPv4 packets?
    
    Depends on the contents. If IPSec enhancements (including CIPSO
    labels) are present then yes. Depending on the security model
    being used, of course.
    
    > 
    > If it is possible to perform access control based on
    > header field values of the IPv4 packets, then is there
    > any need for Netfilter?
    
    Yes - netfilter has a different purpose. It can redirect
    packets, filter based on content of the packet, make routing
    decisions, perform NAT operations.
    
    There can be some overlap. The LSM provides a central security
    control point such that all security related decisions made in
    the kernel can be done, and is isolated (sort of) from the mechanism
    for implementing/enforcing that decision. It allows flexibility
    in chosing the type of security desired, as well as the amount.
    
    > I dont know if these questions make any sense. 
    > Thanks in advance for any replies.
    
    Not unreasonable, though I did think some of them should have
    been answered in a FAQ someplace.
    -------------------------------------------------------------------------
    Jesse I Pollard, II
    Email: pollardat_private
    
    Any opinions expressed are solely my own.
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Wed Aug 14 2002 - 06:01:12 PDT