SlideShare a Scribd company logo

Mandatory Access Control Networking Update - Netonf 2006 Tokyo

J
James Morris

The document discusses the application of Mandatory Access Control (MAC) in networking, focusing on local communications and packet filtering. It highlights updates on SELinux packet filtering, the implementation of multilevel security through IPSec/XFRM, and interoperability with legacy systems. The conclusion notes that while these features cater primarily to government and military users, they provide unprecedented security capabilities in a general-purpose OS like Linux.

TechnologyBusiness
1 of 7
Download to read offline
1
2
3
4
5
6
7
Mandatory Access Control Networking Update Netconf 2006 Tokyo James Morris jmorris@namei.org    
MAC Networking ● Applying Mandatory Access Control (MAC) security to networking: 1) Local communications ● Unix Domain ● Netlink etc. 2) Local labeling of network packets & objects ● Packet filtering 3) Distributed MAC ● Labeled networking    
Status – since last year ● SELinux packet filtering controls have been re- implemented with Secmark: – Utilizes IPTables, conntrack etc. – Separates labeling and enforcement – Much more powerful & flexible – Policy is greatly simplified    
Status (cont'd) ● Native IPSec/xfrm labeling extended by TCS to provide full support for LSPP (used to be B1) certification. – Implements Multilevel Security (MLS), but is generic.    
Status (cont'd) ● Support for legacy MLS networking added by HP (“N etlabel” ): – CIPSO ­    case 0x86: /* Another "Commercial Security" crap. */ +    case IPOPT_CIPSO: – RIPSO and others possible ● Provides interoperability with legacy MLS systems such as Trusted Solaris. ● Argus also porting their CIPSO implementation.    
Futures ● Consolidation of labeling schemes (TCS has posted patches), so they all work well together. ● Complete LSPP/EAL4+ certification with RHEL5, which will include SELinux and native labeled networking. ● Look for ways to make labeled networking more generally useful (using Type Enforcement) – Example: protected paths between web server and database server processes.    
Conclusions ● While immediately most useful to government & military users, the MAC networking frameworks have been implemented generically. ● These features are unprecedented in a general purpose OS. ● Linux now has perhaps the richest network security feature set ever.    

More Related Content

PDF
Directions in SELinux Networking
James Morris
 
PDF
Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...
James Morris
 
PDF
Adding Extended Attribute Support to NFS
James Morris
 
PDF
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
James Morris
 
PDF
Linux Kernel Security Overview - KCA 2009
James Morris
 
PPT
Firewall
guestdb9bc9
 
PPTX
Using distributed firewalls in securing LANs
ANTHONY C. OKIGBO
 
PDF
Futurecom 2019 - NECOS
Fabio Verdi
 
Directions in SELinux Networking
James Morris
 
Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...
James Morris
 
Adding Extended Attribute Support to NFS
James Morris
 
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
James Morris
 
Linux Kernel Security Overview - KCA 2009
James Morris
 
Firewall
guestdb9bc9
 
Using distributed firewalls in securing LANs
ANTHONY C. OKIGBO
 
Futurecom 2019 - NECOS
Fabio Verdi
 

What's hot (7)

PDF
Futex Scaling for Multi-core Systems
Davidlohr Bueso
 
PDF
Minix3 fosdem2014
keesj
 
PDF
Mediation MS-X Lawful Interception
Angelo Papi
 
PDF
Intoduction to TinyOS, nesC and TOSSIM
Prakhar Bansal
 
PPTX
Micaz and TelosB
deepakraj348
 
PDF
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Anne Nicolas
 
PPTX
Firewall DMZ Zone
NetProtocol Xpert
 
Futex Scaling for Multi-core Systems
Davidlohr Bueso
 
Minix3 fosdem2014
keesj
 
Mediation MS-X Lawful Interception
Angelo Papi
 
Intoduction to TinyOS, nesC and TOSSIM
Prakhar Bansal
 
Micaz and TelosB
deepakraj348
 
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Anne Nicolas
 
Firewall DMZ Zone
NetProtocol Xpert
 
Ad

Similar to Mandatory Access Control Networking Update - Netonf 2006 Tokyo (20)

PPTX
Pristine rina-security-icc-2016
ICT PRISTINE
 
PDF
[cb22] Tales of 5G hacking by Karsten Nohl
CODE BLUE
 
DOCX
Implementation of intelligent wide area network(wan)- report
Jatin Singh
 
PPTX
6 Month Telecommunication Training
Techies Institute
 
PDF
下午1 intel yang, elton_mee_go-arch-update-final
csdnmobile
 
PPTX
IBM Spectrum Scale Secure- Secure Data in Motion and Rest
Sandeep Patil
 
PDF
Netw204 Quiz Answers Essay
Jennifer Letterman
 
PPTX
Webinar: OpenEBS - Still Free and now FASTEST Kubernetes storage
MayaData Inc
 
PDF
Using Kubernetes to make cellular data plans cheaper for 50M users
Mirantis
 
PPTX
Geef Industry 4.0 een boost
Howest_ENM
 
PDF
Sigtran introduction
naqibullah Olfat
 
PPT
Cluster Computing
NIKHIL NAIR
 
PDF
Ap 06 4_10_simek
Nguyen Vinh
 
PDF
Project report
ayush13bbm
 
PDF
netconf, restconf, grpc_basic
Gyewan An
 
PDF
Performance improvement by
IJCNCJournal
 
PDF
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
Thomas Graf
 
PPT
Linux vs windows
Dhaivat Zala
 
PPTX
IoT System Management ppt SNMP simple network
narikamalliy
 
PDF
sigtran
krsgowri
 
Pristine rina-security-icc-2016
ICT PRISTINE
 
[cb22] Tales of 5G hacking by Karsten Nohl
CODE BLUE
 
Implementation of intelligent wide area network(wan)- report
Jatin Singh
 
6 Month Telecommunication Training
Techies Institute
 
下午1 intel yang, elton_mee_go-arch-update-final
csdnmobile
 
IBM Spectrum Scale Secure- Secure Data in Motion and Rest
Sandeep Patil
 
Netw204 Quiz Answers Essay
Jennifer Letterman
 
Webinar: OpenEBS - Still Free and now FASTEST Kubernetes storage
MayaData Inc
 
Using Kubernetes to make cellular data plans cheaper for 50M users
Mirantis
 
Geef Industry 4.0 een boost
Howest_ENM
 
Sigtran introduction
naqibullah Olfat
 
Cluster Computing
NIKHIL NAIR
 
Ap 06 4_10_simek
Nguyen Vinh
 
Project report
ayush13bbm
 
netconf, restconf, grpc_basic
Gyewan An
 
Performance improvement by
IJCNCJournal
 
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
Thomas Graf
 
Linux vs windows
Dhaivat Zala
 
IoT System Management ppt SNMP simple network
narikamalliy
 
sigtran
krsgowri
 
Ad

More from James Morris (12)

PDF
Secure and Simple Sandboxing in SELinux
James Morris
 
PDF
sVirt: Hardening Linux Virtualization with Mandatory Access Control
James Morris
 
PDF
OLPC Networking Overview
James Morris
 
PDF
Cryptographic Hardware Support for the Linux Kernel - Netconf 2004
James Morris
 
PDF
SELinux Project Overview - Linux Foundation Japan Symposium 2008
James Morris
 
PDF
Kernel Security for 2.8 - Kernel Summit 2004
James Morris
 
PDF
Better IPSec Security Association Resolution - Netconf 2006 Tokyo
James Morris
 
PDF
The State of Security Enhanced Linux - FOSS.IN/2007
James Morris
 
PDF
How and Why You Should Become a Kernel Hacker - FOSS.IN/2007
James Morris
 
PDF
Overview of NSA Security Enhanced Linux - FOSS.IN/2005
James Morris
 
PDF
SELinux Kernel Internals and Architecture - FOSS.IN/2005
James Morris
 
PDF
Anatomy of Fedora Kiosk Mode (FOSS.MY/2008)
James Morris
 
Secure and Simple Sandboxing in SELinux
James Morris
 
sVirt: Hardening Linux Virtualization with Mandatory Access Control
James Morris
 
OLPC Networking Overview
James Morris
 
Cryptographic Hardware Support for the Linux Kernel - Netconf 2004
James Morris
 
SELinux Project Overview - Linux Foundation Japan Symposium 2008
James Morris
 
Kernel Security for 2.8 - Kernel Summit 2004
James Morris
 
Better IPSec Security Association Resolution - Netconf 2006 Tokyo
James Morris
 
The State of Security Enhanced Linux - FOSS.IN/2007
James Morris
 
How and Why You Should Become a Kernel Hacker - FOSS.IN/2007
James Morris
 
Overview of NSA Security Enhanced Linux - FOSS.IN/2005
James Morris
 
SELinux Kernel Internals and Architecture - FOSS.IN/2005
James Morris
 
Anatomy of Fedora Kiosk Mode (FOSS.MY/2008)
James Morris
 

Recently uploaded (20)

PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Encapsulation theory and applications.pdf
gurumoop
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
A Presentation on Artificial Intelligence
memembruh336
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 

Mandatory Access Control Networking Update - Netonf 2006 Tokyo

  • 1. Mandatory Access Control Networking Update Netconf 2006 Tokyo James Morris jmorris@namei.org    
  • 2. MAC Networking ● Applying Mandatory Access Control (MAC) security to networking: 1) Local communications ● Unix Domain ● Netlink etc. 2) Local labeling of network packets & objects ● Packet filtering 3) Distributed MAC ● Labeled networking    
  • 3. Status – since last year ● SELinux packet filtering controls have been re- implemented with Secmark: – Utilizes IPTables, conntrack etc. – Separates labeling and enforcement – Much more powerful & flexible – Policy is greatly simplified    
  • 4. Status (cont'd) ● Native IPSec/xfrm labeling extended by TCS to provide full support for LSPP (used to be B1) certification. – Implements Multilevel Security (MLS), but is generic.    
  • 5. Status (cont'd) ● Support for legacy MLS networking added by HP (“N etlabel” ): – CIPSO ­    case 0x86: /* Another "Commercial Security" crap. */ +    case IPOPT_CIPSO: – RIPSO and others possible ● Provides interoperability with legacy MLS systems such as Trusted Solaris. ● Argus also porting their CIPSO implementation.    
  • 6. Futures ● Consolidation of labeling schemes (TCS has posted patches), so they all work well together. ● Complete LSPP/EAL4+ certification with RHEL5, which will include SELinux and native labeled networking. ● Look for ways to make labeled networking more generally useful (using Type Enforcement) – Example: protected paths between web server and database server processes.    
  • 7. Conclusions ● While immediately most useful to government & military users, the MAC networking frameworks have been implemented generically. ● These features are unprecedented in a general purpose OS. ● Linux now has perhaps the richest network security feature set ever.