On 08/12/10 17:10, Les Mikesell wrote:
On 12/8/2010 4:04 AM, David Sommerseth wrote:
[...snip...]
Agreed, and something that equally needs standardization.
iptables is a de-facto standard on all Linux distributions nowadays. It is not ratified by ISO, IETF or similar ... but how does that make the real life scenario any different? That's just a piece of paper. iptables works, and so does SELinux - when you learn how to use it.
The real life situation is that iptables only works on linux and the way it works is distribution-dependent. So what you learn may lock you into a platform that may not always be your best choice.
Please educate me here. I've been using Novell SuSE Linux, RHEL/CentOS/Fedora, Gentoo, Crux Linux, RootLinux, Slackware, Ubuntu and my N900's maemo5 which is Debian based and OpenWRT based routers ... and I have not seen iptables behave differently than expected on any of these ... I don't completely understand your argument.
Some of these distroes does indeed have their own additional tools, like YaST2, ufw, system-config-firewall, etc, etc ... That will be different, but they all use iptables under the hood. I'm not talking about the simplified iptables front-end, as that *is* expected to be different.
SELinux came as a result that someone found weaknesses and wanted to try avoid security issues. Just like when firewalls began to become so popular 20-30 years ago or so. There was a need to improve something, and someone did the job. Nobody cared much about firewalls in the early 80's. Why? Maybe because nobody thought anyone would abuse or misuse the network infrastructure?
Does that mean you would not be comfortable moving your applications to SUSE, Solaris, OS X, Windows, etc.? I don't want that kind of lock-in.
Considering Debian is on the move towards SELinux (Lenny installs SELinux packages by default, just not enabled by default), openSuSE is moving towards SELinux[1], Gentoo have hardened/SELinux projects going on ... so moving from RHEL/CentOS to other Linux distros will not be an issue in the future. Since I see that SELinux do begin to get some traction in other distroes as well, so I am not worried about a "lock-in" on SELinux.
When it comes to Solaris, OSX and Windows, that is not comparable, as when you base your installations on Linux, you already at that point to limit yourself somewhat. And those OSes got completely other security mechanisms. If they are comparable, better or worse than SELinux, I don't know - because I prefer Linux in general - as it is a F/OSS product. But with the knowledge I now have with SELinux, I would be reluctant to move over to a platform which do not have something similar.
[1] http://news.opensuse.org/2008/08/20/opensuse-to-add-selinux-basic-enablement-in-111/
SELinux has been around for about a decade or so. And I believe that the more widespread SELinux becomes, and the more users it gets, the more people will not understand such discussions like this.
Agreed - if it is as standard and cross-platform as Posix support you will be able to depend on it without the associated side effect of being locked to a particular OS distribution.
First of all SELinux is written for Linux. Or else it would probably have been called SEPosix.
Second, iptables is a de-facto standard for Linux, just as pf is pretty much the standard firewalling on BSD. Windows and Solaris got their own firewalling methods as well. My point is, neither of them are any Posix standards ... would you prefer to not use any of these firewall implementations due to lack of cross-platform Posix support?
kind regards,
David Sommerseth