LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-04-2012, 03:18 PM   #1
djackso1
LQ Newbie
 
Registered: Jan 2012
Posts: 3

Rep: Reputation: Disabled
CIPSO Labeling of Network Packets from KVM Windows Guest OS


Can Red Hat Linux 6 KVM support of Windows Guest OS be configured to add CIPSO security labels for network packets generated by Windows Guest OS and validate CIPSO label for incoming network packets to the Windows Guest OS?

From documentation, such doesn't seem possible but wanted to check in case I'm missing something.
 
Old 01-04-2012, 10:26 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
IMHO this isn't about what Linux (Netlabel) supports but what other OSes do. And Microsoft Windows definitely does not AFAIK.
 
Old 01-05-2012, 09:53 AM   #3
djackso1
LQ Newbie
 
Registered: Jan 2012
Posts: 3

Original Poster
Rep: Reputation: Disabled
I recognize that Windows doesn't support security labeling of packets. I'm hoping (but not expecting) to identify a KVM + Netlabel configuration to support a) multiple Windows Guest OS instances of different security classifications (for example, Secret and Top Secret) to run on top of KVM with b) IP packets originated from applications in each Guest OS security instance being labeled with the appropriate security classification, c) incoming IP packets delivered to a given Windows Guest OS instance only if they are labeled with the appropriate security classification, and d) in a manner transparent to the Windows Guest OS instances and their applications.

This would require that KVM + NetLabel be able to intercept packets from/to Windows Guest OSs and a) modify outgoing packets to insert the appropriate security level and b) verify the correct security label for incoming packets and then modify the incoming packets to remove the security label. The label to be used for a given Windows Guest OS instance would need to be statically configured.

I don't think there is any way to do this but my level of understanding is only cursory so want to make sure before I give up on this possible multi-level secure architecture for Window applications.
 
Old 01-06-2012, 08:12 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by djackso1 View Post
I don't think there is any way to do this
As the label is applied to a socket maybe a traffic-forwarding MitM could work but ...


Quote:
Originally Posted by djackso1 View Post
multi-level secure architecture for Window applications.
...as with all things MitM it doesn't actually prove anything security-wise about the machines or applications behind it so calling it a "multi-level secure architecture" would be a travesty IMHO. While I'm not sure from your reply if you are forced to label traffic or if confining, isolating it could do and while NuFW is not the same as {CALI,C,R}IPSO and only works with compatible machines it might be worth having a look at just to see what's possible?


Netlabel / CIPSO:
http://www.kernel.org/doc/Documentat...cipso_ipv4.txt
http://netlabel.sourceforge.net/
http://netlabel.svn.sourceforge.net/...67&view=markup
the RFC's you can find yourself.

NuFW / Edenwall:
http://freecode.com/projects/nufw
and see http://web.archive.org/web/201107172.../www.nufw.org/ as nufw.org and edenwall.com are gone.
 
Old 01-06-2012, 11:25 AM   #5
djackso1
LQ Newbie
 
Registered: Jan 2012
Posts: 3

Original Poster
Rep: Reputation: Disabled
A bit more context - the network architecture employs guards between single level security enclaves and a multi-security level Unix workstation enclave. The current cross-domain guards only let thru network packets which are appropriately labeled. The desire is to also provide Windows application services within the existing multi-security level LAN without having to replace or modify the cross-domain guards.

Thus the desire to find a method of labeling packets to/from Windows guest OS in a manner transparent to the Windows guest OS and its applications.
 
Old 01-06-2012, 02:26 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Well, on to testing then. http://free.linux.hp.com/~pmoore/fil...n-07092008.pdf and http://paulmoore.livejournal.com/2884.html seem to convey it's not impossible but you'll have to do some hefty reading. See http://paulmoore.livejournal.com/tag/netlabel and consult with him on the https://admin.fedoraproject.org/mail...stinfo/selinux mailing list I'd say.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
RDP to Windows XP guest on kvm constantly reconnecting after logon St. Even Linux - Virtualization and Cloud 3 03-29-2011 01:40 AM
KVM: Mouse under Windows Guest performs way better than under Centos Guest martdj Linux - Virtualization and Cloud 3 03-29-2010 05:20 AM
Installing windows server as a kvm guest on ubuntu 8.10 (interpid) vganesh Linux - Virtualization and Cloud 2 10-19-2009 04:56 AM
[KVM] adding guest computer to the network djgerbavore Linux - Networking 5 06-10-2009 03:01 PM
LXer: Installing Windows XP As A KVM Guest On Ubuntu 8.10 Desktop LXer Syndicated Linux News 0 02-15-2009 11:30 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:38 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration