Re: Would the SELinux act as a TippingPoint IPS to block the nasty Trojan traffic?

[Paul Moore <paul.moore@hp.com>]

On Tuesday, April 10 2007 7:30:23 am John Wan wrote:
> I am new to SELinux, I would like to configure the SELinux (on a Linux
> box running RH EL AS4 ) to work as a Proactive IPS device (such as
> TippingPoint Intrusion Prevention Systems--- Proactive Network Security,
> it would cost about $20K, which is way beyond my budget). I wish the
> SELinux would work as an IPS device to protect our staff network from
> our wireless network (the Linux RH EL AS4 box with Chillispots & SELinux
> connects the staff network and the wireless network).  For example, a
> student wireless laptop with a Trojan virus would not be able to go
> through the Linux box (with Chillispots &SELinux) from the wireless
> network to the staff network. This is because of the SELinux would act
> as a TippingPoint IPS to block the nasty Trojan traffic.
>
>  My question is: Is this possible?

I'm not very familiar with TippingPoint but I assume from you description that 
what you are looking for is a piece of software that would identify certain 
network traffic signatures and trigger blocking behavior when such signatures 
were found.  If that is the case I think SELinux (in it's current form) alone 
will not accomplish what you are trying to do, however, it could be part of 
the solution used to protect the integrity of the router.

> Anti-virus and IDS/IPS systems based on signatures are reactive,
> operating only on known threats, which is why zero-day exploits are so
> prized by malware authors.
>
> SELinux, on the other hand, can be compared to a firewall with a default
> "deny any" rule, and a set of "allow" rules to only permit actions that
> are necessary for proper system operation.
>
> My ultimate goal is to use the SELinux policy to block the abnormal
> network traffic (such as a Trojan virus) from one network to another
> network. Or the Linux box would be able to stop the contagious network
> traffic in the wireless network by using the SELinux policy.
>
> Is that possible? Or am I terribly wrong here?

There are two things which immediately spring to mind:

1. SELinux as a general rule does not do packet inspection like some IDS/IPS 
solutions
2. SELinux does not provide any packet forwarding access controls

Granted, item #2 is something we (or at least I) want very badly and will be 
working on over the course of this year.  The initial work will most likely 
be limited to external labels (CIPSO, labeled IPsec, etc.), but it should be 
possible to expand the packet forwarding controls to make use locally 
generated labels as well (SECMARK).  As for item #1, perhaps others have some 
thoughts on this, but I don't see this happening anytime soon.

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.