[zones-discuss] Future directions of Zones?
There are speculations that future Microsoft Windows OS, will only be a kernel. And each program will be installed in an individual VM created for that program. Hence, the kernel would be minimalistic and not bloated. Can not something similar be done to Solaris? For instance, small Kernel, and everything installed in separate zones? This requires that Solaris Zones can be very minimilastic, they read the system files from the Kernel install, and write in it's own filesystem. -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] "Security through virtualization is a failure":
"My advice to the paranoid regarding regarding VMs would be to disable extensions allowing the guest broader communication channels to services on the host..." I didnt understand. You mean, for each local zone: disabling ssh and all other connections to the outside world? -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] "Security through virtualization is a failure":
Ok, this "allowed-adress" seems interesting. It allows me to tie one single IP adress to a NIC, and no other IP adresses are allowed. http://docs.sun.com/app/docs/doc/821-1479/chapter5-2?l=sv&a=view (I must use exclusive-ip, because several SunRay users can not simultaneously access my network, unless VirtualBox is using bridged NIC (this requires exclusive-ip). NAT does not allow several SunRay users to access my network. I must use shared-folders when using NAT.) So, I will use something like this picture: http://docs.sun.com/source/821-1458/images/example_virtual_network.gif I will not surf from the global zone. I will install VirtualBox inside each local zone, and install WinXP in each local zone. So, how do I use "allowed-adress" here? I use it to tie a vnic to a local zone? Or can I use "allowed-adress" to tie the global zone to the SunRay thin clients, and allow no internet traffic to reach the global zone, because it is tied to the SunRay clients? I would like my local zones, separated from the global zone. So, hacker attempts to my local zones, does not reach the global zone. (I have also considered installing Sunray software in a local zone, but that means all SunRay users are collected into one local zone. And they all run software in the same local zone. Which is not really what I want. I want separate local zones, with virtual machines in each.) -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] "Security through virtualization is a failure":
Ok, thanks. So, Solaris zones are probably not susceptible to these kind of attacks, it seems. But I was considering running VirtualBox in each local zone and surf from the VirtualBox virtual machines. So, in that case, then you can exploit that attack in each local zone. But you could not access the other local zones, because of underlying Zone model? Regarding my SunRay setup and Global zone. I think I just should do it simple, just like this picture: Figure 15-1. Zone 1 will be the global zone. And the rest of the zones, will be VirtualBox zones. Good so? http://docs.sun.com/app/docs/doc/821-1458/gdytf?a=view -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] "Security through virtualization is a failure":
Ok, so virtual machines for x86 (VirtualBox, VMware, etc) does not necessarily give you additional security. "Security by virtualization is a failure": http://www.serverwatch.com/tutorials/article.php/3905096/Use-Virtual-8086-Mode-to-Secure-Virtual-Servers.htm I wonder, how does the Solaris Zone VM model compare to these? Can you use the same type of exploit on Zones? Are Zones vulnerable to what he talks of, are Zones more secure? Or, are all VMs insecure, no matter what model? BTW, My original plan does not work. I have SunRay clients, which means I can not shutdown the global zone's NIC - because then the SunRay will stop function. I must somehow separate local zones traffic, from the global zone's traffic. So... the global zone's NIC is on but I never touch it, or surf from the global zone (unless I must upgrade/patch Solaris). I only surf from local zones. How do I setup this scenario? Now I am confused. 1) Global Zone NIC, I dont touch it 2) For each local zone, I create a vnic and assign the vnic to the global zone e1000g0. Now I am done? Does this suffice? Or should I create a "subnet" and create vnics in the subnet, and attach all local zones to those vnics - then I have separated global NIC and local zones? Any hints? Anybody? (If I get it to work, I will write down explicitly how I did this, to help others) -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] How secure are zones? Hackers?
I am thinking if it is safer to reach the outside world internet, via a Zone. Will this add additional security, with respect to the global zone? I think this is an interesting question? -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] Possible to create a thin zone?
I wonder if it is possible to create a really thin zone? I mean, a zone where all software is used directly from the global zone, where only /var is duplicated in the local zone? As of now, lots of files are copied from the global zone. For instance, /usr/bin/ls is copied from the global zone. Why can not the local zone use a link to the global zone's /usr directory instead? And, in my global zone /usr directory I have several other programs that did not got copied to the local zone. Why is that? -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
Ok, thank you for your clarification. I think I prefer Crossbow because it is a "modern" approach. Regarding threat model, I prefer to have as much separated traffic as possible, therefore I prefer exclusive-ip instead of shared ip. -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
Sorry, I didnt really get that. Could you explain a bit what you did, for a solaris noob? You just shut down the global NIC, and the local zone NIC still works? Yes? A question: I see that you use shared ip. Isn't that less safe than exclusive-ip because several zones share the same NIC in your case? If you want to separate traffic maximally, you should use exclusive-ip, yes? If I use exclusive IP, I must configure virtual nics with crossbow - yes? I am actually trying this, but can not my zone to ping the world. The local zone exclusive-IP NIC does not work. When I get this scenario to work, I will post everything here, how to do it. So others can follow. But I need help during this research phase. Please help me answer my questions above? -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Zones zone.max-shm-memory setting.
At the same time, I would like to ask exactly what is "locked" RAM? How much is an apropriate value for desktop usage? 2GB? add capped-memory set locked=2GB end -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
If hacker exploits a bug in the VBox driver and corrupts kernel memory so he gets into the global zone, then maybe it is safer to not use VBox? And only use local zones for reaching the outside world? And shutdown the NIC to the global zone? -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
So you suspect there is no need to shut down the global NIC, if the zone uses exclusive IP and it is on a separate subnet and there is no routing between the zones? Ok, that is an interesting thought. What do you other people say? In that case a local zone can not ping (reach) the global zone? I was thinking that the only way to reach internet, would be through a local zone. The global zone should be completely isolated from the rest of the world (zones, internet) and have no working NIC. The question is, in that case, how can I ssh into a local zone if the global zone has no outside connection?? (BTW, I dont know how to do what you suggest, as I am a Solaris noob. I just planned to create exclusive-ip vnic and a vswitch and connect them - have I done what you described then? Are they on a separate subnet? Or do I need to do some additional configuration?) -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
petrben, Yes that is my question too: "is running in a local zone safer?". That is why I created this thread. I was thinking something like this: If someone hacks my WinXP, then he must bypass VBox. Then he is inside the local zone. Then he must get root access to the local zone. Then he must break the zone to get into the global zone. When he is in the global zone, he must gain root access. Then he is in my computer. To prevent this, I shut down the NIC to the global zone. Then there is no communication between the global zone and local zones. So how can a hacker inside a local zone, gain access to the global zone? The global zone does not respond to any communication, because it's NIC is down. But you say something like: if a hacker takes control over VBox, then he also gets inside the kernelspace and then he bypasses zones and everything and is inside the global zone? He does not have to go through NICs and zones and what not? -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
Uhmmm... A thought just struck me. Is it really possible to do what I was thinking? If I install WinXP virtually, in VirtualBox, in a local zone - then I shut down the global zone NIC - how can I reach the local zone then? It should not be possible? There is no connection between local zone and global zone - because global zone NIC is shutdown - so how can I surf the web from the local zone??? ssh does not work, because it connects to the global zone's NIC? Or? -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] Sparse zones in S11?
I hope the sparse zones will be improved in S11? Like, patch only the global zone, etc. Is there work done on sparse zones in S11? -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] How can I get a gnome desktop running in a zone?
Have you tried ssh -X usern...@ipadresstothezone It works for me. -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] How can I get a gnome desktop running in a zone?
Have you tried ssh -X usern...@ipadresstothezone It works for me. -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] can video card and usb resources be allocated in zones ?
According to book "Oracle Solaris 10 System Virtualization Essentials" by Victor, et al, you can install VirtualBox in global zone and start VB in a local zone. When you configure that zone, you can write add device set match=/dev/vboxdrv %allows VirtualBox to run in this zone end add device set match=/dev/vboxusbmon %allow USB in guest end So, it seems you can use USB in VB in a zone. -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
I am still confused. "cjg" wrote at the very bottom, that it is possible to shutdown internet connection to the global zone and provided a link. I dont understand what the link says, as I am a Solaris noob. Can someone explain? I dont feel I have a definitive answer. Is it possible to shut down internet connection to the global zone, or not? And if it is possible, how do I do it? Just by "ifconfig e1000g0 down" or something similar? Regarding VirtualBox. According to the book "Oracle Solaris 10 System Virtualization Essentials" by Victor, et al, it says that it is possible to install VirtualBox into the global zone and startup VirtualBox in a local zone and install the virtual machine in the local zone. The syntax is this: # zonecfg add device set match=/dev/vboxdrv end Hence, you just configure your zone as usual, but you also add the above lines when you configure your local zone. Then you can fire up VirtualBox in the local zone. Regarding "exclusive-ip" in the zone configuration. If I set "exclusive-ip" to a vnic, then no other zone can access the vnic. That is the reason I want to use exclusive-ip. -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
Ok, now I am confused. I want to shut down all internet connection to my global zone. I dont want to shut down the global zone, only the internet connection. I want to reach internet only from local zones. Some of the local zones will have a server application running. Others will just be used for surfing. I will install VirtualBox in the local zones. Is this possible or not? Some say yes, other say no? I believe I should use exclusive-ip in the local zones? Or? -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
Ok, so it is impossible to shutdown internet connection to the global zone and surf only from the local zones. If I want to surf from the local zones, the global zone's NIC must be activated. I suspect a hacker will attack the global zone, instead of the local zone that I surf from. Are there any other ways to increase security instead of my original plan (shutting down the global zone and surf from local zones)? I am afraid the global zone will be attacked... -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
I want to shut down the global zone, and want to surf only from local zones. You mean this is not possible? I dont really understand the implications of your post. What are you trying to say? That I must use Crossbow in b134? Or, that my plan is not possible to do? Or, that I should not shut down the global NIC? Or? -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
Here is more info on this: http://www.opensolaris.org/jive/thread.jspa?messageID=501153ρΊ–΅ -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
Ok, so I shut down e1000g0 which means my global zone can not access internet. The local zone will have e1000g0:1 which I do not shut down, which means the local zone can access internet. Correct? But, if we look at this picture http://blogs.sun.com/droux/entry/private_virtual_networks_for_solaris I see a virtual switch in the middle. I dont really understand the purpose of the virtual switch in the middle. What is it for? Should I also have a vswitch in the middle? And connect all local zones to the vswitch? And then I shut down the global zone called "vnic0" in the picture? Or is it "eri0" I should shut down? -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
Is it that simple?! I just disable my interface. Maybe with something similar to # ifconfig e1000 down or something. I have to check the syntax. And then everything is done? But, my zones, how can they reach internet if the global interface is disabled? I dont get it. -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] Possible to use zones for hardening? Security?
I am a home user with a PC and two SunRay2. I wonder if it is possible to shut down all internet connections to my global zone, and create a zone with VirtualBox to reach internet? 1) global zone: no internet connection 2) zone: virtualbox + Win7 to surf the web, for me 3) zone: virtualbox + Win7 to surf the web, for my girlfriend I am using OpenSolaris b134 and plan to migrate to Solaris 11 Express later (which will have Crossbow I assume) -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] zone with X
I dont know about this. But I tried a guide for lx brandZ, so I ran Linux programs in a zone with X11. I tried acrobat reader and it worked fine. I just followed the BrandZ linux guides on the net. -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org