On Wed, Dec 8, 2010 at 11:10 AM, Les Mikesell lesmikesell@gmail.com wrote:
On 12/8/2010 4:04 AM, David Sommerseth wrote:
iptables is a de-facto standard on all Linux distributions nowadays. It is not ratified by ISO, IETF or similar ... but how does that make the real life scenario any different? That's just a piece of paper. iptables works, and so does SELinux - when you learn how to use it.
The real life situation is that iptables only works on linux and the way it works is distribution-dependent. So what you learn may lock you into a platform that may not always be your best choice.
iptables rules are distribution-independent. Different distributions dump the iptables control and config files in different locations...
SELinux came as a result that someone found weaknesses and wanted to try avoid security issues. Just like when firewalls began to become so popular 20-30 years ago or so. There was a need to improve something, and someone did the job. Nobody cared much about firewalls in the early 80's. Why? Maybe because nobody thought anyone would abuse or misuse the network infrastructure?
Does that mean you would not be comfortable moving your applications to SUSE, Solaris, OS X, Windows, etc.? I don't want that kind of lock-in.
SUSE has apparmor (which it considers equivalent/superior) but you probably can install selinux on it (you can on Ubuntu and Debian).
Solaris has Trusted Extensions for MAC and RBAC.
OS X has a Macified version of TrustedBSD.
Windows has UAC.
(In the same way that the last three have their own firewall apps!)