We're using crossbow to facilitate Zone routing while using the global zone as a router and OpenVPN (an SSL-based VPN solution)
It allows us to create (using VNICS) exclusive IP stack non-global zones on the same physical interfaces, so that we can route each zone independently of the other. The end result is a security product that has segregated zones as resources to the network for whatever capacity they need to be in. -Trish (SPL) > -----Original Message----- > From: crossbow-discuss-bounces at opensolaris.org [mailto:crossbow- > discuss-bounces at opensolaris.org] On Behalf Of Stephanie.Brucker at Sun.COM > Sent: Monday, February 04, 2008 2:54 PM > To: Xiaobo Wang > Cc: Michelle.Olson at Sun.COM; crossbow-discuss at opensolaris.org > Subject: Re: [crossbow-discuss] Ideas for growing the community > > Hi Xiaobo - > > Thanks for your suggestions. I've been on medical leave most of January > so apologies for not responding to you sooner. It's possible that > others > on the Crossbow team may have responded already. > > The use cases sound interesting indeed. I'm not sure that we can > implement them here in our Labs. Engineers, any thoughts? If the cases > are deemed too specific for our more generic docs, I still think they > are great. Therefore, my question to you is, do you have documentation, > HowTos, etc., on how to set up and test your use cases? We have an > enthusiastic OpenSolaris documentation community that provides HowTos > and other information, like use cases, on the Documentation web site > and > on the Documentation Wiki. Here's a URL to the System Administration > Wiki, for example: > > http://opensolaris.org/os/community/documentation/doc_index/sysadmin > > If you are interested in providing material, I could work with you, or > at least point you to the OpenSolaris documentation community. > > - Steff > > Xiaobo Wang wrote: > > Steff > > > > Here are some applications that may be interesting crossbow use > cases. > > > > 1) A VoIP aware firewall provides secured connections between a > customer and partners. Multiple types of services may run on the > device, e.g., SIP on UDP, H.323 on TCP, etc. Each service may also run > on multiple IPs or multiple ports on same IP for different groups of > users (e.g., separate IPs for trusted, semi-trusted, and untrusted > usrs). Device may be connected to the public network and may be > attacks. The goal is to use crossbow to mitigate / control attacks on > VoIP services. For example > > a) Attacks on one IP (VNIC) should not affect services running on > other IP > > (VNIC) > > > > b) Attacks on one protocol (e.g., H.323/TCP) should not affect > services > > running on other protocols (e.g., SIP/UDP). > > > > c) Attacks on one port should not affect services running on > other ports or > > IP/ports (that means at most one group of users may be affected.) > > > > > > 2) This use case is similar to case 1 but has additional goal to use > crossbow to protect all services, including the service under attacks. > The hope is to use crossbow?s h/w based packet classification and flow > control functions, integrated with network and application level > intrusion detection functions, to detect and block bad traffics at near > wire speed. > > > > Note case 2 is more interesting because: 1) for critical services > user wants to protect all users, including the user whose service is > under attack; 2) it seems there have not much study on how fast > crossbow can block packets (v.s., some work has been done on how fast > crossbow can forward packets). Such data is important for security > applications and I think many users will be interesting in knowing the > results. > > > > Hope it helps > > > > Xiaobo > > > > > > This message posted from opensolaris.org > > _______________________________________________ > > crossbow-discuss mailing list > > crossbow-discuss at opensolaris.org > > http://mail.opensolaris.org/mailman/listinfo/crossbow-discuss > > _______________________________________________ > crossbow-discuss mailing list > crossbow-discuss at opensolaris.org > http://mail.opensolaris.org/mailman/listinfo/crossbow-discuss
