On 08/27/08 14:10, Bill Sommerfeld wrote: > On Mon, 2008-08-18 at 13:06 -0700, Tony Nguyen wrote: > >> Hi Darren and all, >> >> As part of the Visual Panels project, >> >> http://opensolaris.org/os/project/vpanels >> >> we're proposing a generic firewall framework for Solaris. The framework >> utilizes IPfilter to provide a simple mechanism to configure a firewall >> on Solaris systems. >> > > I'm sorry, I just don't get it. The mechanisms you're setting up seem > incompatible with delegated service administration. > > the purpose of a firewall is to establish policies to limit what traffic > is allowed through a particular network chokepoint. > > composing your policy out of bits and pieces contributed by different > services which may be administered by different administrators > (remember, different smf services may be administered by different > users) without a clear and coherant overall policy author strikes me as > a disaster waiting to happen unless the global administrator can > constrain what rules a service administrator can supply. >
Bill, my thoughts on this are that this project is primarily aimed at delivering access control for running network services, rather than being a network firewall per se - if you like, this project is more concerned with being a host based firewall and not a network chokepoint. But that said, the greater question you've asked is a good one: is it an acceptable policy to allow service administrators, rather than a host administrator to control network access to a service? In the absence of a specific policy for the host, I'd argue yes, that's an acceptable model to use. I suppose the question you're asking is what if the systems policy is to allow delegation of the control of the services but not control over network access to the services? Is that just a simple matter of more ownership/access rights on the various SMF properties? But if there is an overall policy that should be applied instead, like you are suggesting, then my take on this is that it falls outside of what this project is delivering. Thoughts? Darren -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.opensolaris.org/pipermail/security-discuss/attachments/20080827/3d37149e/attachment.html>
