From owner-freebsd-security@FreeBSD.ORG Tue Jul 15 03:28:22 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 64F3F37B401 for ; Tue, 15 Jul 2003 03:28:22 -0700 (PDT) Received: from geminix.org (gen129.n001.c02.escapebox.net [213.73.91.129]) by mx1.FreeBSD.org (Postfix) with ESMTP id 94E0443F85 for ; Tue, 15 Jul 2003 03:28:21 -0700 (PDT) (envelope-from gemini@geminix.org) Message-ID: <3F13D73E.1020506@geminix.org> Date: Tue, 15 Jul 2003 12:28:14 +0200 From: Uwe Doering Organization: Private UNIX Site User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20030701 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Pawel Jakub Dawidek References: <8213881.1058211676830.JavaMail.nobody@beaker.psp.pas.earthlink.net> <20030714211518.GD4973@garage.freebsd.pl> <3F13A975.7020508@geminix.org> <20030715091211.GK4973@garage.freebsd.pl> In-Reply-To: <20030715091211.GK4973@garage.freebsd.pl> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Received: from gemini by geminix.org with asmtp (TLSv1:AES256-SHA:256) (Exim 3.36 #1) id 19cN2f-000AFC-00; Tue, 15 Jul 2003 12:28:17 +0200 cc: freebsd-security@freebsd.org cc: "V. Jones" Subject: Re: jails, ipfilter & stunnel X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Jul 2003 10:28:23 -0000 Pawel Jakub Dawidek wrote: > On Tue, Jul 15, 2003 at 09:12:53AM +0200, Uwe Doering wrote: > +> >My advice is simple: every jail and main host should have its own IP > +> >address. > +> > +> This is certainly the best solution, if you have multiple IP addresses > +> at your disposal. What I was trying to point out is that there is no > +> _technical_ reason for separate IP addresses with regard to FreeBSD's > +> jail implementation. In cases where you cannot easily get additional IP > +> addresses, on a rented server in a data center, for instance, running > +> multiple jails on the same IP address (with the necessary safety > +> precautions like binding daemons to IP addresses explicitly) is still > +> far better than no jails at all. The difference is that it takes at > +> least some skill and insight into FreeBSD internals to compromise the > +> system as a whole in the former case, while in the latter each and every > +> script kiddy can take over your entire server in no time. > > IMHO security solutions that are "harder to break", aren't security > solutions. Sure, everybody should afford an opinion. However, as you are certainly aware there is no absolute security, no magic bullet. Security is like an onion, with multiple layers. You grab as many layers as you can under the given circumstances and try to make the best of it. If the person responsible for server security is willing to add third party code to the kernel (as you suggest) he might be rewarded with an additional layer. I say "might" because there is always the risk of introducing instability with changes like these. If he would rather not touch the kernel he has to put up with a lower degree of security. In the end it boils down to an assessment of how much security you really need with regard to what you are trying to protect. Otherwise you quickly end up in overkill (to the delight of the security industry, undoubtedly). Uwe -- Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers gemini@geminix.org | http://www.escapebox.net