| T.R | Title | User | Personal
Name | Date | Lines |
|---|
| 426.1 | Know any people who like to test application installations? | SMURF::BAT | Segui la tua beatitudine | Thu Dec 12 1996 16:56 | 82 |
| 426.2 | from Andy | SMURF::BAT | Segui la tua beatitudine | Thu Dec 12 1996 16:57 | 13 |
| 426.3 | | COMICS::CORNEJ | What's an Architect? | Fri Dec 13 1996 04:34 | 8 |
| 426.4 | | VAXRIO::LEO | | Fri Dec 13 1996 11:38 | 19 |
| 426.5 | thank you | SMURF::BAT | Segui la tua beatitudine | Fri Dec 13 1996 13:27 | 1 |
| 426.6 | Altavista tunnel and firewall compatibility with mls+ | MAIL1::GHAHRAMANI | | Thu Apr 17 1997 12:59 | 4 |
| Is there any status on MLS+ V4.0 for Digital Unix and Altavista Tunnel
and Firewall. My customer AT&T is VERY interested in this.
Forough
|
| 426.7 | AV firewall on MLS+ considered then shelved | SMURF::CAYWOOD | The Wayward Ms. Caywood | Fri Apr 18 1997 11:58 | 17 |
| > Is there any status on MLS+ V4.0 for Digital Unix and Altavista
> Tunnel and Firewall.
Official word is that MLS+ with the AVFW was an opportunity that was
being explored, but will not be available. Digital will present the
base product (Digital UNIX) w/ AVFW.
This was explored by Firewall Engineering, MLS+ Engineering and SI. In
principle, all three groups supported the concept of developing an
MLS+ Firewall solution but there are insufficient resources to support
it.
An assessment was made to scope the work required to enable AVFW/MLS+
compatability. I'll post
that separately.
/Janice
|
| 426.8 | MLS+ Kernel changes requierd for Firewall | SMURF::CAYWOOD | The Wayward Ms. Caywood | Fri Apr 18 1997 12:20 | 110 |
| ---------------------
WORK TO BE DONE FOR AVFW/MLS+ COMPATABILITY
1. Port the firewall code submit ptcos-265-ajay (the firewall code
submitted by DU in PTC described below to the MLS+ kernel.
This impacts:
std.kern.mod
inet.mod
gwscreen.mod
2. AVFW group would need to move the firewall modules as described
below for DIGITAL UNIX
3. MLS+ to determine which user space modules are modified by AVFW, and
to follow the same porting process as described above for the kernel
modules. This work is above and beyond that which was required for DU.
We also need to find out how Andy Bayerl prevented the firewall from
modifying the 3 MLS+ modules upon loading.
4. Test.
-------------------------
WORK DONE FOR AVFW COMPATABILITY WITH DIGITAL UNIX:
Most of the Alta Vista firewall (AVFW) kernel mods have been merged
into Digital Unix Platinum version C (DU PTC). (See QAR #51655, and Submit
#PTCOS-265-ajay for most of the modules).
The AVFW has 3 functions:
Interface access filter - already shipped in DU V4.0
transparent proxy (xproxy) - being added to DU PTC
firewall protocol - enables setting permissions (accept, proxy,
reject) at network or i/f level (subnet or device), and gets
configured in user space via screend.conf config file.
Assuming the Alta Vista group follows through with the plan, most of
the key firewall code will become localized in the screening sub-system
(ip_screen.c and gw_screen.c) to avoid impact on the core kernel modules.
Future maintenapatches by the AVFW group will no longer need to include
kernel modules that overwrite code touched by DU (provided the DU
recommended changes are completed by the AVFW group in the PTC timeframe).
E.g., maintenance of firewall modules ip_forwardscreen() and
ip_outputscreen() routines (formerly in file ip_input.c (or ip_screen.c?))
by the AV group will be feasible without conflict with DU development.
Any patches to ip_screen.c and gw_screen.c in gwscreen.mod will be
provided by the AVFW group to enable a "rolling patch" into DU. No
changes are expected to the other 2 files, std_kern.mod and inet.mod.
DU will not modify firewall routines directly, rather DU will forward
any required mods to the AV group to make the changes, which DU would then
roll into the next OS version.
DU agreed to test, verify and submit the currently known required
kernel code changes.
The AV group has been asked to test both cases of the screend (ships
with DU) with and without the ipfirewall case. (DU has a run time condition
that will trigger firewall functionality vs base system functionality.)
The AVFW group has not yet committed to this or to a timeframe.
There are also changes needed to udp_usrreq.c that are being worked.
Note that no design specs or support have been provided to DU by the
AVFW group to date.
Attached is a summary written by Ajay Kachrani (dtn 381-2005) of
specifid modules impacted based on his work with the AVFW on DIGITAL
UNIX:
Merging status of each module modified by the firewall group
The first pass merging the firewall code (to PTC) in high-traffic network
modules has been completed:
net/if.c
net/if.h
netinet/in_pcb.c
netinet/in_pcb.h
netinet/ip_icmp.c
netinet/ip_input.c (except new FW routines needing work belong
to ip_screen.c/gw_screen.c)
netinet/ip_output.c
netinet/tcp_input.c
sys/ioctl.h
The following modules will need work for code that we recommend moving
from ip_input.c and possibally some of it reworking:
netinet/proto_inet.h
net/proto_net.h
net/gw_screen.c
net/gw_screen.h
netinet/ip_screen.c
Needs some work:
netinet/udp_usrreq.c
Interface to turn Firewall on/off postponing until all the work is
complete.
bsd/sys_sysinfo.c
---------------------
|
| 426.9 | Clarification on MLS+/AVFW | SMURF::CAYWOOD | The Wayward Ms. Caywood | Fri Apr 18 1997 12:57 | 5 |
| Just to clarify my previous note, the real solution for MLS+/AVFW
compatability would be for the Firewall to support MLS+ as a platform,
not for MLS+ to try to keep up with the moving target of FW releases.
/J.
|
| 426.10 | from tony | SMURF::BAT | Segui la tua beatitudine | Tue Apr 22 1997 16:31 | 18 |
| From: ALPHA::tfiore ""Anthony Fiore"" 18-APR-1997 09:21:26.45
To: bat@dec:.zko.smurf, kamlia::caywood, kamlia::tfiore
CC: meg@DEC:.zko.alpha, xirtlu::vcormier
Subj: Re: Tunnel and Firewall support on MLS+?
Bat,
Mike Tierney called me last night and said the firewall people are now
interested in spaeking with us to support MLS+. However, this is for 3.1a.
I haven't heard from them.
Is there any status on MLS+ V4.0 for Digital Unix and Altavista Tunnel
and Firewall. My customer AT&T is VERY interested in this.
ANSWER: The AV Firewall does not support MLS+ as a platform. AV product
management needs to be advised of the business impact on this potential
sale. In general, any layered product that modifies the MLS+ kernel
is not supported.
|