SElinux; rant about NAT

D. Hugh Redelmeier hugh-pmF8o41NoarQT0dZR+AlfA at public.gmane.org
Sat Aug 16 16:46:35 UTC 2014 

| From: Howard Gibson <hgibson-MwcKTmeKVNQ at public.gmane.org>

|    As a matter of fact, I do have a web server installed on both my 
|    desktop and my favourite laptop.  My desktop sits behind my firewall 
|    at home.  My laptop's firewall is set to allow nothing through.

You do let things through.  Otherwise you would not be connected to
the internet.

You probably mean something like: I've configured my laptop as a pure
client and offer no services.

That is not sufficient to make one "safe".  For example, a major vector 
for malware is client software: browsers and plugins (Flash, Java, 
Acrobat).  And unpredictable other things like OpenSSL.

In theory, good defence includes defence in depth.  SELinux is another
layer of protection.

When I first heard of SELinux, I never thought it would fly.  Just too
many entries to populate in the policy matrix.  But, with a lot of
effort, they have made it work.

SELinux works quite well for me.  That's because I don't stray far out
of the things provided by Fedora or Red Hat.  They've done all the
work.  But if you put up third-party services, I suspect you will have
to start understanding the arcane details of SELinux.

Bonus: the Red Hat SELinux maintainers are very responsive and helpful.  I 
think that some of them are the original developers (from NSA).

|    I need to visit a Second Cup with it to 
|    verify that it passes True Stealth analysis at http://www.grc.com.  
|    At a lot of sites, GRC seems to test the WiFi server, not me.

I would guess that that is because you are behind NAT at those sites.

In this case, GRC isn't a sufficient test because it doesn't cover the
threat of attacks from systems behind that same NAT.

Security is hard: complex, arcane, unforgiving, evolving.


====  Rant about NAT ====

NAT is an abomination.  It takes the network of peers and breaks it
into a network of servers and clients.  Contrary to the connotations
of those terms, servers are the only nodes that have the full power of
the internet and clients are limited.  Nodes are thus divided into
a first and second class.

Users now depend on their inferiority (client-only internet access)
for security.  That's the majority of what a wireless router does for
security.

And then a million hacks are invented to get around this stupid 
limitation.  UPnP has a component for holing firewalls without user 
knowledge.  "NAT Traversal" is a horrible addition to IPSec that I have to 
deal with (IPSec guarantees integrity of packets, NAT mangles packets).  
Think of STUN for your VOIP phone.  I don't know what Skype and bittorrent 
do for the same problem.  Among other things, these hacks are fragile and 
intricate.  They also reduce privacy.

The IETF mostly thought that NAT would be behind us with IPv6 but the
Bad Guys are thinking of worse stuff: "Carrier-Grade NAT".  Most of
us have one real (routable) IP address at home, something we can
leverage; with carrier-grade NAT, we will have no routable IP address.
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists

More information about the Legacy mailing list