Re: [zones-discuss] Possible to use zones for hardening? Security?

2010-11-28 Thread Orvar Korvar
Sorry, I didnt really get that. Could you explain a bit what you did, for a 
solaris noob? You just shut down the global NIC, and the local zone NIC still 
works? Yes?

A question: I see that you use shared ip. Isn't that less safe than 
exclusive-ip because several zones share the same NIC in your case? If you want 
to separate traffic maximally, you should use exclusive-ip, yes?

If I use exclusive IP, I must configure virtual nics with crossbow - yes?



I am actually trying this, but can not my zone to ping the world. The local 
zone exclusive-IP NIC does not work. When I get this scenario to work, I will 
post everything here, how to do it. So others can follow. But I need help 
during this research phase. Please help me answer my questions above?
-- 
This message posted from opensolaris.org
___
zones-discuss mailing list
zones-discuss@opensolaris.org


Re: [zones-discuss] Possible to use zones for hardening? Security?

2010-11-28 Thread Orvar Korvar
Ok, thank you for your clarification.

I think I prefer Crossbow because it is a modern approach. 

Regarding threat model, I prefer to have as much separated traffic as possible, 
therefore I prefer exclusive-ip instead of shared ip.
-- 
This message posted from opensolaris.org
___
zones-discuss mailing list
zones-discuss@opensolaris.org


Re: [zones-discuss] Possible to use zones for hardening? Security?

2010-11-27 Thread John D Groenveld
In message 1481154627.91285535031577.javamail.tweb...@sf-app1, Orvar Korvar w
rites:
Ok, so I shut down e1000g0 which means my global zone can not access internet.
 The local zone will have e1000g0:1 which I do not shut down, which means the 
local zone can access internet. Correct?

Works for me.

# ifconfig e1000g0 |grep inet
inet 192.168.1.2 netmask ff00 broadcast 192.168.1.255
# zonecfg -z foo export
create -b
set zonepath=/var/opt/zones/foo
set brand=ipkg
set autoboot=false
set ip-type=shared
add net
set address=192.168.1.3/24
set physical=e1000g0
set defrouter=192.168.1.1
end
# ifconfig e1000g0:1
e1000g0:1: flags=1100843UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4 mtu 1500 
index 2
zone foo
inet 192.168.1.3 netmask ff00 broadcast 192.168.1.255
# ifconfig e1000g0 down


John
groenv...@acm.org

___
zones-discuss mailing list
zones-discuss@opensolaris.org


Re: [zones-discuss] Possible to use zones for hardening? Security?

2010-11-26 Thread Orvar Korvar
petrben,
Yes that is my question too: is running in a local zone safer?. That is why I 
created this thread.

I was thinking something like this: If someone hacks my WinXP, then he must 
bypass VBox. Then he is inside the local zone. Then he must get root access to 
the local zone. Then he must break the zone to get into the global zone. When 
he is in the global zone, he must gain root access. Then he is in my computer.

To prevent this, I shut down the NIC to the global zone. Then there is no 
communication between the global zone and local zones. So how can a hacker 
inside a local zone, gain access to the global zone? The global zone does not 
respond to any communication, because it's NIC is down.



But you say something like: if a hacker takes control over VBox, then he also 
gets inside the kernelspace and then he bypasses zones and everything and is 
inside the global zone? He does not have to go through NICs and zones and what 
not?
-- 
This message posted from opensolaris.org
___
zones-discuss mailing list
zones-discuss@opensolaris.org


Re: [zones-discuss] Possible to use zones for hardening? Security?

2010-11-26 Thread Paul van der Zwan

On 26 Nov 2010, at 10:50 , Orvar Korvar wrote:

 petrben,
 Yes that is my question too: is running in a local zone safer?. That is why 
 I created this thread.
 
 I was thinking something like this: If someone hacks my WinXP, then he must 
 bypass VBox. Then he is inside the local zone. Then he must get root access 
 to the local zone. Then he must break the zone to get into the global zone. 
 When he is in the global zone, he must gain root access. Then he is in my 
 computer.
 
 To prevent this, I shut down the NIC to the global zone. Then there is no 
 communication between the global zone and local zones. So how can a hacker 
 inside a local zone, gain access to the global zone? The global zone does not 
 respond to any communication, because it's NIC is down.
 
 
There is probably no need to shutdown the NIC in the glabal zone. As long as 
you configure the zone to use exclusive IP and make sure the zone is on a 
separate subnet
from the global zone and there is no routing between the subnets you should be 
fine.
You could also use the crossbow features to create an internal network and do 
all kinds of firewalling between your VBox zone and the rest of the world.

Paul

 
 But you say something like: if a hacker takes control over VBox, then he also 
 gets inside the kernelspace and then he bypasses zones and everything and is 
 inside the global zone? He does not have to go through NICs and zones and 
 what not?

There is probably no need to shutdown the NIC in the glabal zone. As long as 
you configure the zone to use exclusive IP and make sure the zone is on a 
separate subnet
from the global zone and there is no routing between the subnets you should be 
fine.
You could also use the crossbow features to create an internal network and do 
all kinds of firewalling between your VBox zone and the rest of the world.

Paul


___
zones-discuss mailing list
zones-discuss@opensolaris.org


Re: [zones-discuss] Possible to use zones for hardening? Security?

2010-11-26 Thread Petr Benes
On 26 November 2010 10:50, Orvar Korvar knatte_fnatte_tja...@yahoo.com wrote:
 petrben,
 Yes that is my question too: is running in a local zone safer?. That is why 
 I created this thread.

Yep and I found your question interesting and want to know more as well.
If you are the only administrator on the machine is there any security
benefit of running VBox in the local zone? So far it seems to me that
it doesn't make things worse while there is no clear reason it should
provide any remarkable advantage.
Negative is that you have one more machine to administer and you may
hit more problems later on upgrades etc.


 I was thinking something like this: If someone hacks my WinXP, then he must 
 bypass VBox. Then he is inside the local zone. Then he must get root access 
 to the local zone. Then he must break the zone to get into the global zone. 
 When he is in the global zone, he must gain root access. Then he is in my 
 computer.

 To prevent this, I shut down the NIC to the global zone. Then there is no 
 communication between the global zone and local zones. So how can a hacker 
 inside a local zone, gain access to the global zone? The global zone does not 
 respond to any communication, because it's NIC is down.



 But you say something like: if a hacker takes control over VBox, then he also 
 gets inside the kernelspace and then he bypasses zones and everything and is 
 inside the global zone? He does not have to go through NICs and zones and 
 what not?

I'm not a security expert nor VBox or zones developer. But if the
attacker successfully exploits a hypothetical bug in the VBox driver
he'll be able to corrupt the kernel memory whether it happens in the
local zone or not makes no significant difference.
If he only breaks out the VBox and stays confined in the zone it is of
course A difference and even if he manages to get root in the zone
there must be another serious flaw to break out the zone.
On the other side if it happens in the global zone and if there is no
local exploitable bug he'll stay as an ordinary user in the global
zone and other users will be relatively safe.
Crossbow and resource management could be done in the global zone as
well without the need of zone installation. And again in case you are
the only administrator you have no reason to mis-configure the guest
to fill all available memory ...

Petr



 --
 This message posted from opensolaris.org
 ___
 zones-discuss mailing list
 zones-discuss@opensolaris.org

___
zones-discuss mailing list
zones-discuss@opensolaris.org


Re: [zones-discuss] Possible to use zones for hardening? Security?

2010-11-26 Thread Orvar Korvar
If hacker exploits a bug in the VBox driver and corrupts kernel memory so he 
gets into the global zone, then maybe it is safer to not use VBox? And only use 
local zones for reaching the outside world? And shutdown the NIC to the global 
zone?
-- 
This message posted from opensolaris.org
___
zones-discuss mailing list
zones-discuss@opensolaris.org


Re: [zones-discuss] Possible to use zones for hardening? Security?

2010-11-26 Thread Petr Benes
On 26 November 2010 13:25, Orvar Korvar knatte_fnatte_tja...@yahoo.com wrote:
 If hacker exploits a bug in the VBox driver and corrupts kernel memory so he 
 gets into the global zone, then maybe it is safer to not use VBox?

If such bug exists then it'll be safer to not use VBox, however, I'm
not aware of any such bug. VBox is nice and if you need a Windows
guest you can't
virtualise it using zones and actually VBox could be a good choice.
The question is the add value of running VBox in a local zone.
___
zones-discuss mailing list
zones-discuss@opensolaris.org


Re: [zones-discuss] Possible to use zones for hardening? Security?

2010-11-26 Thread Pete Chan

 how can I ssh into a local zone if the global zone has no outside connection??

you have 2 options. 1. from the global you can simply use zlogin zonename and 
ur in. 2. you can add tcp wrappers to the non-global zone to only allow ssh 
connections from the global.

 Date: Fri, 26 Nov 2010 04:22:56 -0800
 From: knatte_fnatte_tja...@yahoo.com
 To: zones-discuss@opensolaris.org
 Subject: Re: [zones-discuss] Possible to use zones for hardening? Security?
 
 So you suspect there is no need to shut down the global NIC, if the zone uses 
 exclusive IP and it is on a separate subnet and there is no routing between 
 the zones?
 
 Ok, that is an interesting thought. What do you other people say? In that 
 case a local zone can not ping (reach) the global zone? 
 
 I was thinking that the only way to reach internet, would be through a local 
 zone. The global zone should be completely isolated from the rest of the 
 world (zones, internet) and have no working NIC. The question is, in that 
 case, how can I ssh into a local zone if the global zone has no outside 
 connection??
 
 
 
 (BTW, I dont know how to do what you suggest, as I am a Solaris noob. I just 
 planned to create exclusive-ip vnic and a vswitch and connect them - have I 
 done what you described then? Are they on a separate subnet? Or do I need to 
 do some additional configuration?)
 -- 
 This message posted from opensolaris.org
 ___
 zones-discuss mailing list
 zones-discuss@opensolaris.org
  ___
zones-discuss mailing list
zones-discuss@opensolaris.org

Re: [zones-discuss] Possible to use zones for hardening? Security?

2010-11-25 Thread Petr Benes
I bet VBox can't run inside the local zone.

On 24 November 2010 20:04, Orvar Korvar knatte_fnatte_tja...@yahoo.com wrote:
 Uhmmm... A thought just struck me.

 Is it really possible to do what I was thinking? If I install WinXP 
 virtually, in VirtualBox, in a local zone - then I shut down the global zone 
 NIC - how can I reach the local zone then? It should not be possible?

 There is no connection between local zone and global zone - because global 
 zone NIC is shutdown - so how can I surf the web from the local zone??? ssh 
 does not work, because it connects to the global zone's NIC? Or?
 --
 This message posted from opensolaris.org
 ___
 zones-discuss mailing list
 zones-discuss@opensolaris.org

___
zones-discuss mailing list
zones-discuss@opensolaris.org


Re: [zones-discuss] Possible to use zones for hardening? Security?

2010-11-25 Thread Ian Collins

 On 11/25/10 11:08 PM, Petr Benes wrote:

I bet VBox can't run inside the local zone.


See the rest of this thread!

--
Ian.

___
zones-discuss mailing list
zones-discuss@opensolaris.org


Re: [zones-discuss] Possible to use zones for hardening? Security?

2010-11-25 Thread Cyril Plisko
On Thu, Nov 25, 2010 at 12:08 PM, Petr Benes petr...@gmail.com wrote:
 I bet VBox can't run inside the local zone.

Well, you lost. See VirtualBox User Manual

2.4.5 Configuring a zone for running VirtualBox


 On 24 November 2010 20:04, Orvar Korvar knatte_fnatte_tja...@yahoo.com 
 wrote:
 Uhmmm... A thought just struck me.

 Is it really possible to do what I was thinking? If I install WinXP 
 virtually, in VirtualBox, in a local zone - then I shut down the global zone 
 NIC - how can I reach the local zone then? It should not be possible?

 There is no connection between local zone and global zone - because global 
 zone NIC is shutdown - so how can I surf the web from the local zone??? ssh 
 does not work, because it connects to the global zone's NIC? Or?
 --
 This message posted from opensolaris.org
 ___
 zones-discuss mailing list
 zones-discuss@opensolaris.org

 ___
 zones-discuss mailing list
 zones-discuss@opensolaris.org




-- 
Regards,
        Cyril
___
zones-discuss mailing list
zones-discuss@opensolaris.org


Re: [zones-discuss] Possible to use zones for hardening? Security?

2010-11-25 Thread Petr Benes
Oh, thanks.

On 25 November 2010 11:25, Cyril Plisko cyril.pli...@mountall.com wrote:
 On Thu, Nov 25, 2010 at 12:08 PM, Petr Benes petr...@gmail.com wrote:
 I bet VBox can't run inside the local zone.

 Well, you lost. See VirtualBox User Manual

 2.4.5 Configuring a zone for running VirtualBox


 On 24 November 2010 20:04, Orvar Korvar knatte_fnatte_tja...@yahoo.com 
 wrote:
 Uhmmm... A thought just struck me.

 Is it really possible to do what I was thinking? If I install WinXP 
 virtually, in VirtualBox, in a local zone - then I shut down the global 
 zone NIC - how can I reach the local zone then? It should not be possible?

 There is no connection between local zone and global zone - because global 
 zone NIC is shutdown - so how can I surf the web from the local zone??? ssh 
 does not work, because it connects to the global zone's NIC? Or?
 --
 This message posted from opensolaris.org
 ___
 zones-discuss mailing list
 zones-discuss@opensolaris.org

 ___
 zones-discuss mailing list
 zones-discuss@opensolaris.org




 --
 Regards,
         Cyril

___
zones-discuss mailing list
zones-discuss@opensolaris.org


Re: [zones-discuss] Possible to use zones for hardening? Security?

2010-11-25 Thread Petr Benes
Hmm. VBox obviously needs to be installed in the global zone before.
Is running it in a local zone significantly safer? Yep for separating
different possible users, but it won't make running guests safer per
se. What is the supposed security merit there?T

On 25 November 2010 11:25, Petr Benes petr...@gmail.com wrote:
 Oh, thanks.

 On 25 November 2010 11:25, Cyril Plisko cyril.pli...@mountall.com wrote:
 On Thu, Nov 25, 2010 at 12:08 PM, Petr Benes petr...@gmail.com wrote:
 I bet VBox can't run inside the local zone.

 Well, you lost. See VirtualBox User Manual

 2.4.5 Configuring a zone for running VirtualBox


 On 24 November 2010 20:04, Orvar Korvar knatte_fnatte_tja...@yahoo.com 
 wrote:
 Uhmmm... A thought just struck me.

 Is it really possible to do what I was thinking? If I install WinXP 
 virtually, in VirtualBox, in a local zone - then I shut down the global 
 zone NIC - how can I reach the local zone then? It should not be possible?

 There is no connection between local zone and global zone - because global 
 zone NIC is shutdown - so how can I surf the web from the local zone??? 
 ssh does not work, because it connects to the global zone's NIC? Or?
 --
 This message posted from opensolaris.org
 ___
 zones-discuss mailing list
 zones-discuss@opensolaris.org

 ___
 zones-discuss mailing list
 zones-discuss@opensolaris.org




 --
 Regards,
         Cyril


___
zones-discuss mailing list
zones-discuss@opensolaris.org


Re: [zones-discuss] Possible to use zones for hardening? Security?

2010-11-25 Thread John D Groenveld
In message aanlkti=fhh7pknmc1vhztcgvyuofpe1fsft1j5r7r...@mail.gmail.com, Petr
 Benes writes:
Hmm. VBox obviously needs to be installed in the global zone before.
Is running it in a local zone significantly safer? Yep for separating
different possible users, but it won't make running guests safer per
se. What is the supposed security merit there?T

Finer grain delegation of VBox management to the Zone's
administrator.

Limit the damage if the Zone's VBox application is somehow
subverted by the guest OS.


Beyond security, running VBox in a Zone allows you to make
use of Zone Resource Controls and Crossbow networking.
Cool stuff!

John
groenv...@acm.org
___
zones-discuss mailing list
zones-discuss@opensolaris.org


Re: [zones-discuss] Possible to use zones for hardening? Security?

2010-11-25 Thread Petr Benes
 Limit the damage if the Zone's VBox application is somehow
 subverted by the guest OS.

There are VBox modules in the kernel and the containers framework
can't stop misbehavior in kernelspace.



 Beyond security, running VBox in a Zone allows you to make
 use of Zone Resource Controls and Crossbow networking.
 Cool stuff!

No question about cool features. My concern is if running VBox in a
local zone has any security advantage regarding an evil guest over
running it in the global one. And if so, why? VBox process itself
doesn't run as a root but there are its drivers the attack may go
through.

Petr


 John
 groenv...@acm.org
 ___
 zones-discuss mailing list
 zones-discuss@opensolaris.org

___
zones-discuss mailing list
zones-discuss@opensolaris.org


Re: [zones-discuss] Possible to use zones for hardening? Security?

2010-11-25 Thread Jeff Victor
On Thu, Nov 25, 2010 at 9:21 AM, Petr Benes petr...@gmail.com wrote:
 Limit the damage if the Zone's VBox application is somehow
 subverted by the guest OS.

 There are VBox modules in the kernel and the containers framework
 can't stop misbehavior in kernelspace.

The use of kernel modules in VBox doesn't weaken the security of
Zones. Other software accessible in a zone ultimately uses kernel
modules. Gaining unfettered control over kernel space is the hard
part. In any case, please see more detail below.

 Beyond security, running VBox in a Zone allows you to make
 use of Zone Resource Controls and Crossbow networking.
 Cool stuff!

 No question about cool features. My concern is if running VBox in a
 local zone has any security advantage regarding an evil guest over
 running it in the global one. And if so, why?

Because all processes running in a zone run with a reduced privilege
set, compared to processes running in the global zone. For example, a
process in a zone cannot have the proc_zone privilege, so a process in
one zone cannot send a signal to another process. Also, by default, a
process in a zone does not have the sys_time privilege, so it cannot
change the system's time clock. (The global zone administrator can
give the sys_time privilege to one or more zones, after which they
would be able to change the system's time clock.) See the man page
privileges(5).

Is the security framework of Zones good enough? An independent
security certification gave Solaris Trusted Extensions (which uses
Zones to compartmentalize information) a rating of EAL4+ with three
different profiles - the highest rating achieved by a general purpose
operating system.

For more information on security and Solaris Zones, please read the
paper Understanding the Security Capabilities of Solaris Zones
written by Glenn Brunette and myself:
http://hub.opensolaris.org/bin/download/Project+isc/WebHome/820%2D7017.pdf
.


--JeffV
___
zones-discuss mailing list
zones-discuss@opensolaris.org


Re: [zones-discuss] Possible to use zones for hardening? Security?

2010-11-25 Thread Petr Benes
On 26 November 2010 04:07, Jeff Victor jeff.j.vic...@gmail.com wrote:
 On Thu, Nov 25, 2010 at 9:21 AM, Petr Benes petr...@gmail.com wrote:
 Limit the damage if the Zone's VBox application is somehow
 subverted by the guest OS.

 There are VBox modules in the kernel and the containers framework
 can't stop misbehavior in kernelspace.

 The use of kernel modules in VBox doesn't weaken the security of
 Zones. Other software accessible in a zone ultimately uses kernel
 modules. Gaining unfettered control over kernel space is the hard
 part. In any case, please see more detail below.

 Beyond security, running VBox in a Zone allows you to make
 use of Zone Resource Controls and Crossbow networking.
 Cool stuff!

 No question about cool features. My concern is if running VBox in a
 local zone has any security advantage regarding an evil guest over
 running it in the global one. And if so, why?

 Because all processes running in a zone run with a reduced privilege
 set, compared to processes running in the global zone. For example, a
 process in a zone cannot have the proc_zone privilege, so a process in
 one zone cannot send a signal to another process. Also, by default, a
 process in a zone does not have the sys_time privilege, so it cannot
 change the system's time clock. (The global zone administrator can
 give the sys_time privilege to one or more zones, after which they
 would be able to change the system's time clock.) See the man page
 privileges(5).

How could a guest inside the VBox use any of these features?
All privileged stuff is done via /dev/vbox* you granted the zone
to access if I got it correctly.


 Is the security framework of Zones good enough? An independent
 security certification gave Solaris Trusted Extensions (which uses
 Zones to compartmentalize information) a rating of EAL4+ with three
 different profiles - the highest rating achieved by a general purpose
 operating system.

 For more information on security and Solaris Zones, please read the
 paper Understanding the Security Capabilities of Solaris Zones
 written by Glenn Brunette and myself:
 http://hub.opensolaris.org/bin/download/Project+isc/WebHome/820%2D7017.pdf

That's actually a bit different use and will be plausible only after
VBox will be certified to
run under trusted zones.

Petr
___
zones-discuss mailing list
zones-discuss@opensolaris.org


Re: [zones-discuss] Possible to use zones for hardening? Security?

2010-11-24 Thread Orvar Korvar
Uhmmm... A thought just struck me. 

Is it really possible to do what I was thinking? If I install WinXP virtually, 
in VirtualBox, in a local zone - then I shut down the global zone NIC - how can 
I reach the local zone then? It should not be possible?

There is no connection between local zone and global zone - because global zone 
NIC is shutdown - so how can I surf the web from the local zone??? ssh does not 
work, because it connects to the global zone's NIC? Or?
-- 
This message posted from opensolaris.org
___
zones-discuss mailing list
zones-discuss@opensolaris.org


Re: [zones-discuss] Possible to use zones for hardening? Security?

2010-10-01 Thread Orvar Korvar
I am still confused. cjg wrote at the very bottom, that it is possible to 
shutdown internet connection to the global zone and provided a link. I dont 
understand what the link says, as I am a Solaris noob. Can someone explain? 

I dont feel I have a definitive answer. Is it possible to shut down internet 
connection to the global zone, or not? And if it is possible, how do I do it? 
Just by ifconfig e1000g0 down or something similar?




Regarding VirtualBox. According to the book Oracle Solaris 10 System 
Virtualization Essentials by Victor, et al, it says that it is possible to 
install VirtualBox into the global zone and startup VirtualBox in a local zone 
and install the virtual machine in the local zone. The syntax is this:
# zonecfg 
add device
 set match=/dev/vboxdrv
 end

Hence, you just configure your zone as usual, but you also add the above lines 
when you configure your local zone. Then you can fire up VirtualBox in the 
local zone.

Regarding exclusive-ip in the zone configuration. If I set exclusive-ip to 
a vnic, then no other zone can access the vnic. That is the reason I want to 
use exclusive-ip.
-- 
This message posted from opensolaris.org
___
zones-discuss mailing list
zones-discuss@opensolaris.org


Re: [zones-discuss] Possible to use zones for hardening? Security?

2010-10-01 Thread Glenn Faden



Orvar Korvar wrote:
I am still confused. cjg wrote at the very bottom, that it is possible to shutdown internet connection to the global zone and provided a link. I dont understand what the link says, as I am a Solaris noob. Can someone explain? 


I dont feel I have a definitive answer. Is it possible to shut down internet connection 
to the global zone, or not? And if it is possible, how do I do it? Just by ifconfig 
e1000g0 down or something similar?
  


Yes. That is sufficient.

--Glenn


ORACLE ®
Glenn Faden | Senior Principal Software Engineer
Phone: +1 650 786 4003 | Mobile: +1 415 637 8181
Oracle Solaris Security, Solaris Core OS Technology Engineering


___
zones-discuss mailing list
zones-discuss@opensolaris.org


Re: [zones-discuss] Possible to use zones for hardening? Security?

2010-09-30 Thread Orvar Korvar
Ok, now I am confused.

I want to shut down all internet connection to my global zone. I dont want to 
shut down the global zone, only the internet connection. I want to reach 
internet only from local zones. Some of the local zones will have a server 
application running. Others will just be used for surfing. I will install 
VirtualBox in the local zones.

Is this possible or not? Some say yes, other say no?

I believe I should use exclusive-ip in the local zones? Or?
-- 
This message posted from opensolaris.org
___
zones-discuss mailing list
zones-discuss@opensolaris.org


Re: [zones-discuss] Possible to use zones for hardening? Security?

2010-09-30 Thread Ian Collins

On 10/ 1/10 09:42 AM, Orvar Korvar wrote:

Ok, now I am confused.

I want to shut down all internet connection to my global zone. I dont want to 
shut down the global zone, only the internet connection. I want to reach 
internet only from local zones. Some of the local zones will have a server 
application running. Others will just be used for surfing. I will install 
VirtualBox in the local zones.

   
I don't think you can install VirtualBox in a zone.  If you are using 
VirtualBox, you can use the same networking tricks to get isolation as 
you would use for a zone.



Is this possible or not? Some say yes, other say no?

   

The response you didn't quote answered your question:

On 09/30/10 08:38 AM, Glenn Faden wrote:
Assuming you're using the shared IP stack (default), it is sufficient 
for the global zone interface(s) to be plumbed so that the non-global 
zones can use logical instances of the interface(s). So setting the GZ 
interfaces as down' will prevent network access to/from the global zone. 



I believe I should use exclusive-ip in the local zones? Or?
   

You can, but you don't have to.

--
Ian.

___
zones-discuss mailing list
zones-discuss@opensolaris.org


Re: [zones-discuss] Possible to use zones for hardening? Security?

2010-09-30 Thread Jerry Kemp
Ian,

I believe that you are correct in your comment about running VirtualBox
in a zone.  Why I haven't attempted it myself, I believe that VirtualBox
will not work from a zone because VirtualBox needs to load kernel modules.

here is an example:

ultra20 /root 401 # modinfo | grep -i vbox
175 f85127f0a88 345   1  vboxnet (VirtualBox NetAdp 3.1.4r57640)
177 f8682000  24de8 344   1  vboxdrv (VirtualBox HostDrv
3.1.4r57640)
250 f89e2000   6a20 346   1  vboxflt (VirtualBox NetDrv 3.1.4r57640)
250 f89e2000   6a20   -   1  vboxflt (VirtualBox NetMod 3.1.4r57640)
251 f89e9000   4598 347   1  vboxusbmon (VirtualBox USBMon
3.1.4r57640)
252 f89ee000   6de8 348   1  vboxusb (VirtualBox USB 3.1.4r57640)
ultra20 /root 402 # uname -a
SunOS ultra20 5.11 snv_130 i86pc i386 i86pc
ultra20 /root 403 #

Jerry


On 09/30/10 15:55, Ian Collins wrote:


 I don't think you can install VirtualBox in a zone.  If you are using
 VirtualBox, you can use the same networking tricks to get isolation as
 you would use for a zone.
 
___
zones-discuss mailing list
zones-discuss@opensolaris.org


Re: [zones-discuss] Possible to use zones for hardening? Security?

2010-09-30 Thread Glenn Faden
VBox definitely works in zones. It installs a global zone SMF service, 
VBoxService, to take care of loading the kernel modules since this can't 
be done by a NGZ.


see http://www.virtualbox.org/changeset/24240

--Glenn

Jerry Kemp wrote:

Ian,

I believe that you are correct in your comment about running VirtualBox
in a zone.  Why I haven't attempted it myself, I believe that VirtualBox
will not work from a zone because VirtualBox needs to load kernel modules.

here is an example:

ultra20 /root 401 # modinfo | grep -i vbox
175 f85127f0a88 345   1  vboxnet (VirtualBox NetAdp 3.1.4r57640)
177 f8682000  24de8 344   1  vboxdrv (VirtualBox HostDrv
3.1.4r57640)
250 f89e2000   6a20 346   1  vboxflt (VirtualBox NetDrv 3.1.4r57640)
250 f89e2000   6a20   -   1  vboxflt (VirtualBox NetMod 3.1.4r57640)
251 f89e9000   4598 347   1  vboxusbmon (VirtualBox USBMon
3.1.4r57640)
252 f89ee000   6de8 348   1  vboxusb (VirtualBox USB 3.1.4r57640)
ultra20 /root 402 # uname -a
SunOS ultra20 5.11 snv_130 i86pc i386 i86pc
ultra20 /root 403 #

Jerry


On 09/30/10 15:55, Ian Collins wrote:

  
   
  

I don't think you can install VirtualBox in a zone.  If you are using
VirtualBox, you can use the same networking tricks to get isolation as
you would use for a zone.



___
zones-discuss mailing list
zones-discuss@opensolaris.org
  


--

ORACLE ®
Glenn Faden | Senior Principal Software Engineer
Phone: +1 650 786 4003 | Mobile: +1 415 637 8181
Oracle Solaris Security, Solaris Core OS Technology Engineering


___
zones-discuss mailing list
zones-discuss@opensolaris.org


Re: [zones-discuss] Possible to use zones for hardening? Security?

2010-09-30 Thread Ian Collins

On 10/ 1/10 10:33 AM, Glenn Faden wrote:
VBox definitely works in zones. It installs a global zone SMF service, 
VBoxService, to take care of loading the kernel modules since this 
can't be done by a NGZ.


see http://www.virtualbox.org/changeset/24240


Ah, so I was correct is stating VirtualBox can't be *installed* in a zone.

I didn't realise it could be run in a zone when installed in the global 
zone.


--
Ian.

___
zones-discuss mailing list
zones-discuss@opensolaris.org


Re: [zones-discuss] Possible to use zones for hardening? Security?

2010-09-30 Thread Jerry Kemp
I stand corrected.

Thanks for the update Glenn.

Jerry


On 09/30/10 16:33, Glenn Faden wrote:
 VBox definitely works in zones. It installs a global zone SMF service,
 VBoxService, to take care of loading the kernel modules since this can't
 be done by a NGZ.
 
 see http://www.virtualbox.org/changeset/24240
 
 --Glenn
 
___
zones-discuss mailing list
zones-discuss@opensolaris.org


Re: [zones-discuss] Possible to use zones for hardening? Security?

2010-09-30 Thread Chris Gerhard
Not true. b134 has crossbow and you can configure it such that the global zone 
does not have access to to the internet. 

See http://chrisgerhard.wordpress.com/2009/01/01/http-proxy-in-a-zone/

--chris
-- 
This message posted from opensolaris.org
___
zones-discuss mailing list
zones-discuss@opensolaris.org


Re: [zones-discuss] Possible to use zones for hardening? Security?

2010-09-29 Thread Orvar Korvar
I want to shut down the global zone, and want to surf only from local zones. 
You mean this is not possible? 

I dont really understand the implications of your post. What are you trying to 
say? That I must use Crossbow in b134? Or, that my plan is not possible to do? 
Or, that I should not shut down the global NIC? Or?
-- 
This message posted from opensolaris.org
___
zones-discuss mailing list
zones-discuss@opensolaris.org


Re: [zones-discuss] Possible to use zones for hardening? Security?

2010-09-29 Thread LaoTsao



--- Original message ---

From: Orvar Korvar knatte_fnatte_tja...@yahoo.com
To: zones-discuss@opensolaris.org
Sent: 29.9.'10,  10:13

I want to shut down the global zone, and want to surf only from local 
zones. You mean this is not possible?


Not possible
I dont really understand the implications of your post. What are you 
trying to say? That I must use Crossbow in b134? Or, that my plan is not 
possible to do? Or, that I should not shut down the global NIC? Or?

--
This message posted from opensolaris.org
___
zones-discuss mailing list
zones-discuss@opensolaris.org


___
zones-discuss mailing list
zones-discuss@opensolaris.org


Re: [zones-discuss] Possible to use zones for hardening? Security?

2010-09-29 Thread Orvar Korvar
Ok, so it is impossible to shutdown internet connection to the global zone and 
surf only from the local zones. If I want to surf from the local zones, the 
global zone's NIC must be activated. I suspect a hacker will attack the global 
zone, instead of the local zone that I surf from.

Are there any other ways to increase security instead of my original plan 
(shutting down the global zone and surf from local zones)? I am afraid the 
global zone will be attacked...
-- 
This message posted from opensolaris.org
___
zones-discuss mailing list
zones-discuss@opensolaris.org


Re: [zones-discuss] Possible to use zones for hardening? Security?

2010-09-29 Thread James Carlson
Orvar Korvar wrote:
 Ok, so it is impossible to shutdown internet connection to the global zone 
 and surf only from the local zones. If I want to surf from the local zones, 
 the global zone's NIC must be activated. I suspect a hacker will attack the 
 global zone, instead of the local zone that I surf from.

There's no need to assign any addresses to the global zone.

I'm pretty sure there are others (Dan McDonald, probably) who have
experimented with the sort of configuration you're describing.

 Are there any other ways to increase security instead of my original plan 
 (shutting down the global zone and surf from local zones)? I am afraid the 
 global zone will be attacked...

If you set up the global zone having no interfaces (just lo0), and set
up the non-global zones using the set ip-type=exclusive mechanism, the
non-global zones will have networking that's completely independent of
the global zone.

You can't shut down the global zone, but you certainly can configure
it so that it doesn't have any available networking interfaces.

-- 
James Carlson 42.703N 71.076W carls...@workingcode.com
___
zones-discuss mailing list
zones-discuss@opensolaris.org


Re: [zones-discuss] Possible to use zones for hardening? Security?

2010-09-29 Thread LaoTsao

Hi
U cannot shutdown gz
Gz run the kernel and all servies for ngz
But can setup firewall such that to restrict acces to ip tcp service and 
port


--- Original message ---

From: Orvar Korvar knatte_fnatte_tja...@yahoo.com
To: zones-discuss@opensolaris.org
Sent: 29.9.'10,  13:33

Ok, so it is impossible to shutdown internet connection to the global 
zone and surf only from the local zones. If I want to surf from the local 
zones, the global zone's NIC must be activated. I suspect a hacker will 
attack the global zone, instead of the local zone that I surf from.


Are there any other ways to increase security instead of my original plan 
(shutting down the global zone and surf from local zones)? I am afraid the 
global zone will be attacked...

--
This message posted from opensolaris.org
___
zones-discuss mailing list
zones-discuss@opensolaris.org


___
zones-discuss mailing list
zones-discuss@opensolaris.org


Re: [zones-discuss] Possible to use zones for hardening? Security?

2010-09-29 Thread Jordan Vaughan
Is there a way to disable all remote connections to the GZ?  In other 
words, couldn't you use a firewall to reject connections on all ports to 
the GZ?  That would effectively deny remote access to the GZ without 
having to disable any network interfaces.


Of course, disabling the GZ's interface(s) is preferable (it's simpler), 
but I'm not sure if it's possible.  I haven't tried it.


Jordan

On 09/29/10 10:33 AM, Orvar Korvar wrote:

Ok, so it is impossible to shutdown internet connection to the global zone and 
surf only from the local zones. If I want to surf from the local zones, the 
global zone's NIC must be activated. I suspect a hacker will attack the global 
zone, instead of the local zone that I surf from.

Are there any other ways to increase security instead of my original plan 
(shutting down the global zone and surf from local zones)? I am afraid the 
global zone will be attacked...

___
zones-discuss mailing list
zones-discuss@opensolaris.org


Re: [zones-discuss] Possible to use zones for hardening? Security?

2010-09-29 Thread Glenn Faden
Assuming you're using the shared IP stack (default), it is sufficient 
for the global zone interface(s) to be plumbed so that the non-global 
zones can use logical instances of the interface(s). So setting the GZ 
interfaces as down' will prevent network access to/from the global zone.


--Glenn

Jordan Vaughan wrote:
Is there a way to disable all remote connections to the GZ?  In other 
words, couldn't you use a firewall to reject connections on all ports 
to the GZ?  That would effectively deny remote access to the GZ 
without having to disable any network interfaces.


Of course, disabling the GZ's interface(s) is preferable (it's 
simpler), but I'm not sure if it's possible.  I haven't tried it.


Jordan

On 09/29/10 10:33 AM, Orvar Korvar wrote:
Ok, so it is impossible to shutdown internet connection to the global 
zone and surf only from the local zones. If I want to surf from the 
local zones, the global zone's NIC must be activated. I suspect a 
hacker will attack the global zone, instead of the local zone that I 
surf from.


Are there any other ways to increase security instead of my original 
plan (shutting down the global zone and surf from local zones)? I am 
afraid the global zone will be attacked...

___
zones-discuss mailing list
zones-discuss@opensolaris.org


--

ORACLE ®
Glenn Faden | Senior Principal Software Engineer
Phone: +1 650 786 4003 | Mobile: +1 415 637 8181
Oracle Solaris Security, Solaris Core OS Technology Engineering


___
zones-discuss mailing list
zones-discuss@opensolaris.org


Re: [zones-discuss] Possible to use zones for hardening? Security?

2010-09-28 Thread Orvar Korvar
Here is more info on this:
http://www.opensolaris.org/jive/thread.jspa?messageID=501153#501153
-- 
This message posted from opensolaris.org
___
zones-discuss mailing list
zones-discuss@opensolaris.org


Re: [zones-discuss] Possible to use zones for hardening? Security?

2010-09-28 Thread Jeff Victor
If you configure a zone to use the exclusive-IP feature, the global
zone will not be able to use the zone's network interfaces. See the
zonecfg(1M) man page.

On Sat, Sep 25, 2010 at 6:23 AM, Orvar Korvar
knatte_fnatte_tja...@yahoo.com wrote:
 I am a home user with a PC and two SunRay2.

 I wonder if it is possible to shut down all internet connections to my global 
 zone, and create a zone with VirtualBox to reach internet?

 1) global zone: no internet connection
 2) zone: virtualbox + Win7 to surf the web, for me
 3) zone: virtualbox + Win7 to surf the web, for my girlfriend

 I am using OpenSolaris b134 and plan to migrate to Solaris 11 Express later 
 (which will have Crossbow I assume)
 --
 This message posted from opensolaris.org
 ___
 zones-discuss mailing list
 zones-discuss@opensolaris.org




-- 
--JeffV
___
zones-discuss mailing list
zones-discuss@opensolaris.org


Re: [zones-discuss] Possible to use zones for hardening? Security?

2010-09-28 Thread Jeff Victor
On Sun, Sep 26, 2010 at 5:03 PM, Orvar Korvar
knatte_fnatte_tja...@yahoo.com wrote:
 Ok, so I shut down e1000g0 which means my global zone can not access 
 internet. The local zone will have e1000g0:1 which I do not shut down, which 
 means the local zone can access internet. Correct?

 But, if we look at this picture
 http://blogs.sun.com/droux/entry/private_virtual_networks_for_solaris
 I see a virtual switch in the middle. I dont really understand the purpose of 
 the virtual switch in the middle. What is it for?

It is a feature in Project Crossbow. In one sense, it is the mechanism
by which several entities (e.g. several zones) share a physical NIC.
In other words, vSwitches connect vNICs to a physical NIC.

 Should I also have a vswitch in the middle? And connect all local zones to 
 the vswitch?
That depends on your goals. Unless you have more NICs than zones, you
will need at least one vSwitch.


--JeffV
___
zones-discuss mailing list
zones-discuss@opensolaris.org


Re: [zones-discuss] Possible to use zones for hardening? Security?

2010-09-26 Thread Pete Chan

when you create your zone1 it will be bound to e1000:1 and that interface is 
not disabled hence it will have access to the web.
you may do the same thing with 2 interfaces. one can be dedicated to global and 
the other bound to e1000:1, etc.
 
 Date: Sat, 25 Sep 2010 12:32:55 -0700
 From: knatte_fnatte_tja...@yahoo.com
 To: zones-discuss@opensolaris.org
 Subject: Re: [zones-discuss] Possible to use zones for hardening? Security?
 
 Is it that simple?!
 
 I just disable my interface. Maybe with something similar to
 # ifconfig e1000 down
 or something. I have to check the syntax.
 
 And then everything is done? But, my zones, how can they reach internet if 
 the global interface is disabled? I dont get it.
 -- 
 This message posted from opensolaris.org
 ___
 zones-discuss mailing list
 zones-discuss@opensolaris.org
  ___
zones-discuss mailing list
zones-discuss@opensolaris.org

Re: [zones-discuss] Possible to use zones for hardening? Security?

2010-09-26 Thread Orvar Korvar
Ok, so I shut down e1000g0 which means my global zone can not access internet. 
The local zone will have e1000g0:1 which I do not shut down, which means the 
local zone can access internet. Correct?

But, if we look at this picture
http://blogs.sun.com/droux/entry/private_virtual_networks_for_solaris
I see a virtual switch in the middle. I dont really understand the purpose of 
the virtual switch in the middle. What is it for? 

Should I also have a vswitch in the middle? And connect all local zones to the 
vswitch? And then I shut down the global zone called vnic0 in the picture? Or 
is it eri0 I should shut down?
-- 
This message posted from opensolaris.org
___
zones-discuss mailing list
zones-discuss@opensolaris.org


Re: [zones-discuss] Possible to use zones for hardening? Security?

2010-09-25 Thread Pete Chan

on the global zone all you need to do is disable your interface.
 
 Date: Sat, 25 Sep 2010 03:23:52 -0700
 From: knatte_fnatte_tja...@yahoo.com
 To: zones-discuss@opensolaris.org
 Subject: [zones-discuss] Possible to use zones for hardening? Security?
 
 I am a home user with a PC and two SunRay2. 
 
 I wonder if it is possible to shut down all internet connections to my global 
 zone, and create a zone with VirtualBox to reach internet? 
 
 1) global zone: no internet connection
 2) zone: virtualbox + Win7 to surf the web, for me
 3) zone: virtualbox + Win7 to surf the web, for my girlfriend
 
 I am using OpenSolaris b134 and plan to migrate to Solaris 11 Express later 
 (which will have Crossbow I assume)
 -- 
 This message posted from opensolaris.org
 ___
 zones-discuss mailing list
 zones-discuss@opensolaris.org
  ___
zones-discuss mailing list
zones-discuss@opensolaris.org

Re: [zones-discuss] Possible to use zones for hardening? Security?

2010-09-25 Thread Orvar Korvar
Is it that simple?!

I just disable my interface. Maybe with something similar to
# ifconfig e1000 down
or something. I have to check the syntax.

And then everything is done? But, my zones, how can they reach internet if the 
global interface is disabled? I dont get it.
-- 
This message posted from opensolaris.org
___
zones-discuss mailing list
zones-discuss@opensolaris.org