Re: [zones-discuss] Possible to use zones for hardening? Security?
petrben, Yes that is my question too: is running in a local zone safer?. That is why I created this thread. I was thinking something like this: If someone hacks my WinXP, then he must bypass VBox. Then he is inside the local zone. Then he must get root access to the local zone. Then he must break the zone to get into the global zone. When he is in the global zone, he must gain root access. Then he is in my computer. To prevent this, I shut down the NIC to the global zone. Then there is no communication between the global zone and local zones. So how can a hacker inside a local zone, gain access to the global zone? The global zone does not respond to any communication, because it's NIC is down. But you say something like: if a hacker takes control over VBox, then he also gets inside the kernelspace and then he bypasses zones and everything and is inside the global zone? He does not have to go through NICs and zones and what not? -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
On 26 Nov 2010, at 10:50 , Orvar Korvar wrote: petrben, Yes that is my question too: is running in a local zone safer?. That is why I created this thread. I was thinking something like this: If someone hacks my WinXP, then he must bypass VBox. Then he is inside the local zone. Then he must get root access to the local zone. Then he must break the zone to get into the global zone. When he is in the global zone, he must gain root access. Then he is in my computer. To prevent this, I shut down the NIC to the global zone. Then there is no communication between the global zone and local zones. So how can a hacker inside a local zone, gain access to the global zone? The global zone does not respond to any communication, because it's NIC is down. There is probably no need to shutdown the NIC in the glabal zone. As long as you configure the zone to use exclusive IP and make sure the zone is on a separate subnet from the global zone and there is no routing between the subnets you should be fine. You could also use the crossbow features to create an internal network and do all kinds of firewalling between your VBox zone and the rest of the world. Paul But you say something like: if a hacker takes control over VBox, then he also gets inside the kernelspace and then he bypasses zones and everything and is inside the global zone? He does not have to go through NICs and zones and what not? There is probably no need to shutdown the NIC in the glabal zone. As long as you configure the zone to use exclusive IP and make sure the zone is on a separate subnet from the global zone and there is no routing between the subnets you should be fine. You could also use the crossbow features to create an internal network and do all kinds of firewalling between your VBox zone and the rest of the world. Paul ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
On 26 November 2010 10:50, Orvar Korvar knatte_fnatte_tja...@yahoo.com wrote: petrben, Yes that is my question too: is running in a local zone safer?. That is why I created this thread. Yep and I found your question interesting and want to know more as well. If you are the only administrator on the machine is there any security benefit of running VBox in the local zone? So far it seems to me that it doesn't make things worse while there is no clear reason it should provide any remarkable advantage. Negative is that you have one more machine to administer and you may hit more problems later on upgrades etc. I was thinking something like this: If someone hacks my WinXP, then he must bypass VBox. Then he is inside the local zone. Then he must get root access to the local zone. Then he must break the zone to get into the global zone. When he is in the global zone, he must gain root access. Then he is in my computer. To prevent this, I shut down the NIC to the global zone. Then there is no communication between the global zone and local zones. So how can a hacker inside a local zone, gain access to the global zone? The global zone does not respond to any communication, because it's NIC is down. But you say something like: if a hacker takes control over VBox, then he also gets inside the kernelspace and then he bypasses zones and everything and is inside the global zone? He does not have to go through NICs and zones and what not? I'm not a security expert nor VBox or zones developer. But if the attacker successfully exploits a hypothetical bug in the VBox driver he'll be able to corrupt the kernel memory whether it happens in the local zone or not makes no significant difference. If he only breaks out the VBox and stays confined in the zone it is of course A difference and even if he manages to get root in the zone there must be another serious flaw to break out the zone. On the other side if it happens in the global zone and if there is no local exploitable bug he'll stay as an ordinary user in the global zone and other users will be relatively safe. Crossbow and resource management could be done in the global zone as well without the need of zone installation. And again in case you are the only administrator you have no reason to mis-configure the guest to fill all available memory ... Petr -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
If hacker exploits a bug in the VBox driver and corrupts kernel memory so he gets into the global zone, then maybe it is safer to not use VBox? And only use local zones for reaching the outside world? And shutdown the NIC to the global zone? -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
On 26 November 2010 13:25, Orvar Korvar knatte_fnatte_tja...@yahoo.com wrote: If hacker exploits a bug in the VBox driver and corrupts kernel memory so he gets into the global zone, then maybe it is safer to not use VBox? If such bug exists then it'll be safer to not use VBox, however, I'm not aware of any such bug. VBox is nice and if you need a Windows guest you can't virtualise it using zones and actually VBox could be a good choice. The question is the add value of running VBox in a local zone. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
how can I ssh into a local zone if the global zone has no outside connection?? you have 2 options. 1. from the global you can simply use zlogin zonename and ur in. 2. you can add tcp wrappers to the non-global zone to only allow ssh connections from the global. Date: Fri, 26 Nov 2010 04:22:56 -0800 From: knatte_fnatte_tja...@yahoo.com To: zones-discuss@opensolaris.org Subject: Re: [zones-discuss] Possible to use zones for hardening? Security? So you suspect there is no need to shut down the global NIC, if the zone uses exclusive IP and it is on a separate subnet and there is no routing between the zones? Ok, that is an interesting thought. What do you other people say? In that case a local zone can not ping (reach) the global zone? I was thinking that the only way to reach internet, would be through a local zone. The global zone should be completely isolated from the rest of the world (zones, internet) and have no working NIC. The question is, in that case, how can I ssh into a local zone if the global zone has no outside connection?? (BTW, I dont know how to do what you suggest, as I am a Solaris noob. I just planned to create exclusive-ip vnic and a vswitch and connect them - have I done what you described then? Are they on a separate subnet? Or do I need to do some additional configuration?) -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org