Re: [zones-discuss] Possible to use zones for hardening? Security?
Assuming you're using the shared IP stack (default), it is sufficient for the global zone interface(s) to be plumbed so that the non-global zones can use logical instances of the interface(s). So setting the GZ interfaces as "down' will prevent network access to/from the global zone. --Glenn Jordan Vaughan wrote: Is there a way to disable all remote connections to the GZ? In other words, couldn't you use a firewall to reject connections on all ports to the GZ? That would effectively deny remote access to the GZ without having to disable any network interfaces. Of course, disabling the GZ's interface(s) is preferable (it's simpler), but I'm not sure if it's possible. I haven't tried it. Jordan On 09/29/10 10:33 AM, Orvar Korvar wrote: Ok, so it is impossible to shutdown internet connection to the global zone and surf only from the local zones. If I want to surf from the local zones, the global zone's NIC must be activated. I suspect a hacker will attack the global zone, instead of the local zone that I surf from. Are there any other ways to increase security instead of my original plan (shutting down the global zone and surf from local zones)? I am afraid the global zone will be attacked... ___ zones-discuss mailing list zones-discuss@opensolaris.org -- ORACLE ® Glenn Faden | Senior Principal Software Engineer Phone: +1 650 786 4003 | Mobile: +1 415 637 8181 Oracle Solaris Security, Solaris Core OS Technology Engineering ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
Is there a way to disable all remote connections to the GZ? In other words, couldn't you use a firewall to reject connections on all ports to the GZ? That would effectively deny remote access to the GZ without having to disable any network interfaces. Of course, disabling the GZ's interface(s) is preferable (it's simpler), but I'm not sure if it's possible. I haven't tried it. Jordan On 09/29/10 10:33 AM, Orvar Korvar wrote: Ok, so it is impossible to shutdown internet connection to the global zone and surf only from the local zones. If I want to surf from the local zones, the global zone's NIC must be activated. I suspect a hacker will attack the global zone, instead of the local zone that I surf from. Are there any other ways to increase security instead of my original plan (shutting down the global zone and surf from local zones)? I am afraid the global zone will be attacked... ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
Hi U cannot shutdown gz Gz run the kernel and all servies for ngz But can setup firewall such that to restrict acces to ip tcp service and port --- Original message --- From: Orvar Korvar To: zones-discuss@opensolaris.org Sent: 29.9.'10, 13:33 Ok, so it is impossible to shutdown internet connection to the global zone and surf only from the local zones. If I want to surf from the local zones, the global zone's NIC must be activated. I suspect a hacker will attack the global zone, instead of the local zone that I surf from. Are there any other ways to increase security instead of my original plan (shutting down the global zone and surf from local zones)? I am afraid the global zone will be attacked... -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
Orvar Korvar wrote: > Ok, so it is impossible to shutdown internet connection to the global zone > and surf only from the local zones. If I want to surf from the local zones, > the global zone's NIC must be activated. I suspect a hacker will attack the > global zone, instead of the local zone that I surf from. There's no need to assign any addresses to the global zone. I'm pretty sure there are others (Dan McDonald, probably) who have experimented with the sort of configuration you're describing. > Are there any other ways to increase security instead of my original plan > (shutting down the global zone and surf from local zones)? I am afraid the > global zone will be attacked... If you set up the global zone having no interfaces (just lo0), and set up the non-global zones using the "set ip-type=exclusive" mechanism, the non-global zones will have networking that's completely independent of the global zone. You can't "shut down" the global zone, but you certainly can configure it so that it doesn't have any available networking interfaces. -- James Carlson 42.703N 71.076W ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
Ok, so it is impossible to shutdown internet connection to the global zone and surf only from the local zones. If I want to surf from the local zones, the global zone's NIC must be activated. I suspect a hacker will attack the global zone, instead of the local zone that I surf from. Are there any other ways to increase security instead of my original plan (shutting down the global zone and surf from local zones)? I am afraid the global zone will be attacked... -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Can I use 32-bits apps in zone on x64 OSOL?
Thank you. -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
--- Original message --- From: Orvar Korvar To: zones-discuss@opensolaris.org Sent: 29.9.'10, 10:13 I want to shut down the global zone, and want to surf only from local zones. You mean this is not possible? Not possible I dont really understand the implications of your post. What are you trying to say? That I must use Crossbow in b134? Or, that my plan is not possible to do? Or, that I should not shut down the global NIC? Or? -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
I want to shut down the global zone, and want to surf only from local zones. You mean this is not possible? I dont really understand the implications of your post. What are you trying to say? That I must use Crossbow in b134? Or, that my plan is not possible to do? Or, that I should not shut down the global NIC? Or? -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Can I use 32-bits apps in zone on x64 OSOL?
Anton Pomozov wrote: > Seapine TestTrack License Server compiled for 32-bit only. > Or I need use xVM with PV 32-bit osol? 32-bit applications work fine on x64, whether inside a zone or not. Each process on x64 (and SPARC) can be either 32-bit or 64-bit and the system adapts as needed. The only question is whether this product has kernel modules. If it does, then you can't load 32-bit kernel modules into a 64-bit kernel (for much the same reason that you can't use 32-bit libraries with a 64-bit program). -- James Carlson 42.703N 71.076W ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] Can I use 32-bits apps in zone on x64 OSOL?
Seapine TestTrack License Server compiled for 32-bit only. Or I need use xVM with PV 32-bit osol? -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org