Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
01-04-2012, 03:18 PM
|
#1
|
LQ Newbie
Registered: Jan 2012
Posts: 3
Rep:
|
CIPSO Labeling of Network Packets from KVM Windows Guest OS
Can Red Hat Linux 6 KVM support of Windows Guest OS be configured to add CIPSO security labels for network packets generated by Windows Guest OS and validate CIPSO label for incoming network packets to the Windows Guest OS?
From documentation, such doesn't seem possible but wanted to check in case I'm missing something.
|
|
|
01-04-2012, 10:26 PM
|
#2
|
Moderator
Registered: May 2001
Posts: 29,415
|
IMHO this isn't about what Linux (Netlabel) supports but what other OSes do. And Microsoft Windows definitely does not AFAIK.
|
|
|
01-05-2012, 09:53 AM
|
#3
|
LQ Newbie
Registered: Jan 2012
Posts: 3
Original Poster
Rep:
|
I recognize that Windows doesn't support security labeling of packets. I'm hoping (but not expecting) to identify a KVM + Netlabel configuration to support a) multiple Windows Guest OS instances of different security classifications (for example, Secret and Top Secret) to run on top of KVM with b) IP packets originated from applications in each Guest OS security instance being labeled with the appropriate security classification, c) incoming IP packets delivered to a given Windows Guest OS instance only if they are labeled with the appropriate security classification, and d) in a manner transparent to the Windows Guest OS instances and their applications.
This would require that KVM + NetLabel be able to intercept packets from/to Windows Guest OSs and a) modify outgoing packets to insert the appropriate security level and b) verify the correct security label for incoming packets and then modify the incoming packets to remove the security label. The label to be used for a given Windows Guest OS instance would need to be statically configured.
I don't think there is any way to do this but my level of understanding is only cursory so want to make sure before I give up on this possible multi-level secure architecture for Window applications.
|
|
|
01-06-2012, 08:12 AM
|
#4
|
Moderator
Registered: May 2001
Posts: 29,415
|
Quote:
Originally Posted by djackso1
I don't think there is any way to do this
|
As the label is applied to a socket maybe a traffic-forwarding MitM could work but ...
Quote:
Originally Posted by djackso1
multi-level secure architecture for Window applications.
|
...as with all things MitM it doesn't actually prove anything security-wise about the machines or applications behind it so calling it a "multi-level secure architecture" would be a travesty IMHO. While I'm not sure from your reply if you are forced to label traffic or if confining, isolating it could do and while NuFW is not the same as {CALI,C,R}IPSO and only works with compatible machines it might be worth having a look at just to see what's possible?
Netlabel / CIPSO:
http://www.kernel.org/doc/Documentat...cipso_ipv4.txt
http://netlabel.sourceforge.net/
http://netlabel.svn.sourceforge.net/...67&view=markup
the RFC's you can find yourself.
NuFW / Edenwall:
http://freecode.com/projects/nufw
and see http://web.archive.org/web/201107172.../www.nufw.org/ as nufw.org and edenwall.com are gone.
|
|
|
01-06-2012, 11:25 AM
|
#5
|
LQ Newbie
Registered: Jan 2012
Posts: 3
Original Poster
Rep:
|
A bit more context - the network architecture employs guards between single level security enclaves and a multi-security level Unix workstation enclave. The current cross-domain guards only let thru network packets which are appropriately labeled. The desire is to also provide Windows application services within the existing multi-security level LAN without having to replace or modify the cross-domain guards.
Thus the desire to find a method of labeling packets to/from Windows guest OS in a manner transparent to the Windows guest OS and its applications.
|
|
|
01-06-2012, 02:26 PM
|
#6
|
Moderator
Registered: May 2001
Posts: 29,415
|
|
|
|
All times are GMT -5. The time now is 06:38 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|