Mandatory Access Control Networking Update - Netonf 2006 Tokyo

50 %
50 %
Information about Mandatory Access Control Networking Update - Netonf 2006 Tokyo

Published on June 30, 2009

Author: jamesmorris



"Mandatory Access Control Networking Update", presentation given at Netconf 2006 in Tokyo, with an update on Labeled Networking and other MAC features.

Mandatory Access Control Networking Update Netconf 2006 Tokyo James Morris    

MAC Networking ● Applying Mandatory Access Control (MAC) security to networking: 1) Local communications ● Unix Domain ● Netlink etc. 2) Local labeling of network packets & objects ● Packet filtering 3) Distributed MAC ● Labeled networking    

Status – since last year ● SELinux packet filtering controls have been re- implemented with Secmark: – Utilizes IPTables, conntrack etc. – Separates labeling and enforcement – Much more powerful & flexible – Policy is greatly simplified    

Status (cont'd) ● Native IPSec/xfrm labeling extended by TCS to provide full support for LSPP (used to be B1) certification. – Implements Multilevel Security (MLS), but is generic.    

Status (cont'd) ● Support for legacy MLS networking added by HP (“N etlabel” ): – CIPSO ­    case 0x86: /* Another "Commercial Security" crap. */ +    case IPOPT_CIPSO: – RIPSO and others possible ● Provides interoperability with legacy MLS systems such as Trusted Solaris. ● Argus also porting their CIPSO implementation.    

Futures ● Consolidation of labeling schemes (TCS has posted patches), so they all work well together. ● Complete LSPP/EAL4+ certification with RHEL5, which will include SELinux and native labeled networking. ● Look for ways to make labeled networking more generally useful (using Type Enforcement) – Example: protected paths between web server and database server processes.    

Conclusions ● While immediately most useful to government & military users, the MAC networking frameworks have been implemented generically. ● These features are unprecedented in a general purpose OS. ● Linux now has perhaps the richest network security feature set ever.    

Add a comment

Related presentations

Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...

In this presentation we will describe our experience developing with a highly dyna...

Presentation to the LITA Forum 7th November 2014 Albuquerque, NM

Un recorrido por los cambios que nos generará el wearabletech en el futuro

Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...

Microsoft finally joins the smartwatch and fitness tracker game by introducing the...

Related pages

Mandatory Access Control Networking Update - Linux kernel

Mandatory Access Control Networking Update Netconf 2006 Tokyo ... Applying Mandatory Access Control (MAC) ... labeled networking.
Read more

NIST 7316, Assessment of Access Control Systems

Access Control Systems Vincent C. Hu ... September 2006 ii. ... mandatory and binding on federal agencies by the Secretary of Commerce under statutory
Read more

Mandatory data Mandatory data ... Role-Based Access Control (RBAC) Microsoft Lync Server 2010 ... deploying an Microsoft Lync Server 2010 network, ...
Read more

June 23, 2006 M-06-16 MEMORANDUM FOR THE HEADS OF ...

... Protection of Sensitive Agency Information ... dated April 2006, are considered mandatory. ... AC-1 ACCESS CONTROL POLICY AND PROCEDURES
Read more

PolicyMorph -

Flexible mandatory access control ... only and do not deal with access rights for updates ... provide security properties for a network, ...
Read more

How to assign a mandatory user profile in Windows XP

This article describes how to assign a mandatory user profile in Windows XP. ... click Control Panel, ... To assign a mandatory user profile, ...
Read more

List of updates in Windows Server 2003 Service Pack 2

... that are included in Windows Server 2003 Service Pack 2. ... access control entry is added to child ... saving time 2006 912475 update:
Read more

Mandatory - Bringing Back Man

Mandatory Newsletter. Get a weekly dose of MANDATORY by signing up for our newsletter. Partner Offers: Yes, I would like to receive occasional email ...
Read more