[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference smurf::dec_mls_plus

Title:dec_mls_plus
Moderator:SMURF::BAT
Created:Mon Nov 29 1993
Last Modified:Fri Jun 06 1997
Last Successful Update:Fri Jun 06 1997
Number of topics:534
Total number of notes:2544

426.0. "MLS+ V4.0 + Polycenter + Altavista + Informix" by VAXRIO::LEO () Thu Dec 12 1996 14:41

T.RTitleUserPersonal
Name
DateLines
426.1Know any people who like to test application installations?SMURF::BATSegui la tua beatitudineThu Dec 12 1996 19:5682
426.2from AndySMURF::BATSegui la tua beatitudineThu Dec 12 1996 19:5713
426.3COMICS::CORNEJWhat's an Architect?Fri Dec 13 1996 07:348
426.4VAXRIO::LEOFri Dec 13 1996 14:3819
426.5thank youSMURF::BATSegui la tua beatitudineFri Dec 13 1996 16:271
426.6Altavista tunnel and firewall compatibility with mls+MAIL1::GHAHRAMANIThu Apr 17 1997 15:594
    Is there any status on MLS+ V4.0 for Digital Unix and Altavista Tunnel
    and Firewall.  My customer AT&T is VERY interested in this.
    
    Forough
426.7AV firewall on MLS+ considered then shelvedSMURF::CAYWOODThe Wayward Ms. CaywoodFri Apr 18 1997 14:5817
>    Is there any status on MLS+ V4.0 for Digital Unix and Altavista
>    Tunnel and Firewall.
    
    Official word is that MLS+ with the AVFW was an opportunity that was
    being explored, but will not be available.  Digital will present the
    base product (Digital UNIX) w/ AVFW.  
    
    This was explored by Firewall Engineering, MLS+ Engineering and SI.  In
    principle, all three groups supported the concept of developing an 
    MLS+ Firewall solution but there are insufficient resources to support
    it.
    
    An assessment was made to scope the work required to enable AVFW/MLS+
    compatability.  I'll post 
    that separately.
    
    /Janice
426.8MLS+ Kernel changes requierd for Firewall SMURF::CAYWOODThe Wayward Ms. CaywoodFri Apr 18 1997 15:20110
    ---------------------
    
    WORK TO BE DONE FOR AVFW/MLS+ COMPATABILITY
    
    1. Port the firewall code submit ptcos-265-ajay (the firewall code 
    submitted by DU in PTC described below to the MLS+ kernel. 
    This impacts: 
    
    	std.kern.mod
    	inet.mod
    	gwscreen.mod
    
    2. AVFW group would need to move the firewall modules as described
    below for DIGITAL UNIX
    
    3. MLS+ to determine which user space modules are modified by AVFW, and
    to follow the same porting process as described above for the kernel
    modules.  This work is above and beyond that which was required for DU.  
    We also need to find out how Andy Bayerl prevented the firewall from 
    modifying the 3 MLS+ modules upon loading.  
    
    4. Test.  
    
    -------------------------
    
    WORK DONE FOR AVFW COMPATABILITY WITH DIGITAL UNIX:
    
    Most of the Alta Vista firewall (AVFW) kernel mods have been merged
    into Digital Unix Platinum version C (DU PTC).  (See QAR #51655, and Submit
    #PTCOS-265-ajay for most of the modules).
    
    The AVFW has 3 functions:
    
    	Interface access filter - already shipped in DU V4.0
    
    	transparent proxy (xproxy) - being added to DU PTC
    
    	firewall protocol - enables setting permissions (accept, proxy, 
    reject) at network or i/f level (subnet or device), and gets 
    configured in user space via screend.conf config file.
    
    Assuming the Alta Vista group follows through with the plan, most of
    the key firewall code will become localized in the screening sub-system
    (ip_screen.c and gw_screen.c) to avoid impact on the core kernel modules. 
    Future maintenapatches by the AVFW group will no longer need to include 
    kernel modules that overwrite code touched by DU (provided the DU 
    recommended changes are completed by the AVFW group in the PTC timeframe).
    E.g., maintenance of firewall modules ip_forwardscreen() and 
    ip_outputscreen() routines (formerly in file ip_input.c (or ip_screen.c?)) 
    by the AV group will be feasible without conflict with DU development.
    
    Any patches to ip_screen.c and gw_screen.c in gwscreen.mod will be
    provided by the AVFW group to enable a "rolling patch" into DU.  No 
    changes are expected to the other 2 files, std_kern.mod and inet.mod.
    
    DU will not modify firewall routines directly, rather DU will forward
    any required mods to the AV group to make the changes, which DU would then
    roll into the next OS version.
    
    DU agreed to test, verify and submit the currently known required
    kernel code changes. 
    
    The AV group has been asked to test both cases of the screend (ships
    with DU) with and without the ipfirewall case. (DU has a run time condition 
    that will trigger firewall functionality vs base system functionality.)  
    The AVFW group has not yet committed to this or to a timeframe.
    
    There are also changes needed to udp_usrreq.c that are being worked.
    
    Note that no design specs or support have been provided to DU by the
    AVFW group to date.
    
    Attached is a summary written by Ajay Kachrani (dtn 381-2005) of
    specifid modules impacted based on his work with the AVFW on DIGITAL
    UNIX:
    
    Merging status of each module modified by the firewall group
    
    The first pass merging the firewall code (to PTC) in high-traffic network 
    modules has been completed:
            net/if.c
            net/if.h
            netinet/in_pcb.c
            netinet/in_pcb.h
            netinet/ip_icmp.c
            netinet/ip_input.c (except new FW routines needing work belong
    		to  ip_screen.c/gw_screen.c)
            netinet/ip_output.c
            netinet/tcp_input.c
            sys/ioctl.h
    
    The following modules will need work for code that we recommend moving
    from ip_input.c and possibally some of it reworking:
    
            netinet/proto_inet.h
            net/proto_net.h
            net/gw_screen.c
            net/gw_screen.h
            netinet/ip_screen.c
    
    Needs some work:
            netinet/udp_usrreq.c
    
    Interface to turn Firewall on/off postponing until all the work is
    complete.
            bsd/sys_sysinfo.c
    ---------------------
    
    
         
426.9Clarification on MLS+/AVFWSMURF::CAYWOODThe Wayward Ms. CaywoodFri Apr 18 1997 15:575
    Just to clarify my previous note, the real solution for MLS+/AVFW
    compatability would be for the Firewall to support MLS+ as a platform,
    not for MLS+ to try to keep up with the moving target of FW releases.
    
    /J.
426.10from tonySMURF::BATSegui la tua beatitudineTue Apr 22 1997 19:3118
From:	ALPHA::tfiore ""Anthony Fiore"" 18-APR-1997 09:21:26.45
To:	bat@dec:.zko.smurf, kamlia::caywood, kamlia::tfiore
CC:	meg@DEC:.zko.alpha, xirtlu::vcormier
Subj:	Re:  Tunnel and Firewall support on MLS+?

Bat,

Mike Tierney called me last night and said the firewall people are now
interested in spaeking with us to support MLS+. However, this is for 3.1a.
I haven't heard from them.

    Is there any status on MLS+ V4.0 for Digital Unix and Altavista Tunnel
    and Firewall.  My customer AT&T is VERY interested in this.

ANSWER: The AV Firewall does not support MLS+ as a platform.  AV product
management needs to be advised of the business impact on this potential
sale.  In general, any layered product that modifies the  MLS+ kernel
is not supported.