Integrating Security into Vyatta - SELinux

0 downloads 249 Views 354KB Size Report
Operating System IOS, ... JUNOS (BSD) Linux. Architecture Proprietary ... set interfaces ethernet eth0 address 1.2.3.4/2
Integrating Security into Vyatta Stephen Hemminger

Comparison of Router OS Cisco Operating System IOS, ... Architecture Proprietary Monolithic Roles 0 – 15

Juniper

Vyatta

JUNOS (BSD)

Linux

Proprietary Modular

Open

Operator read-only Superuser Unauthorized

Operator Administrator

Authentication Local, RADIUS, Local, RADIUS, Local, RADIUS, TACACS+ TACACS+ TACACS+

Router Security Requirements ✔

Freedom from fear of remote attacks



Freedom from forced entry



Freedom from stupidity



Freedom from having to learn anything new

set interfaces ethernet eth0 address 1.2.3.4/24

Bash ip addr add dev eth0 1.2.3.4/24

templates perl

Commands Netlink: ...

Kernel

Configuration management operational

discard

commit

configure

configuration

boot config.boot

save Active configuation

Real programmers use

Perl

Unionfs

Four basic Install models ●

Traditional

→ disk install



Live CD

→ CDROM + floppy



Virtual Machine → VM image



Install Image

→ Distribution + changes

http://xkcd.com/149/

POSIX capability Group membership → cap_netadmin+i sudo iptables

→ /sbin/iptables

system(“mount ...”) → mount() sudo perl foo.pl

→ ???

Router AAA Router OS

Linux



Username



Uid



Levels



Groups



Accounting



Auditing



File access control



Command Authorization

Router AAA = bad directory service ●





UID we don't need no stinking user id Sorry, no traversal for you “Mother may I...”

SELinux Issues ●

Starting daemons from templates



Labeling during build, upgrade



RBAC





sysadm_r, staff_r mapping



No prompting

Optional?

Wishlist 1)Command authorization/accounting 2)Finer grained network capabilities 3)DAC on network objects 4)But keep Linux environment