server was down all the weekend again...

[Terran]

Another kernel bug (german news site):

http://heise.de/newsticker/meldung/44755

[Onno Kreuzinger]

i know, it throws a "Speicherzugriffsfehler" [core dump] on most kernels i tested. on my mandrake 9.0 it just dies w/o notice.

[Terran]

Debian already fixed it :-)

[Onno Kreuzinger]

luckily my firewall is not affected ;-)

[Onno Kreuzinger]

Quote:

I'm not sure this will result in a secure system but it will result in a hard to manage system because of the complexity you described.

yes it is complex, but it was a carrier grade central internet gateway, it took about 1,5 man work years to make the concept. i was involved in the whole router and pix inband management stuff and resulting of this for all ip security but the aravox'es. all external business ip traffic (not endcustomer) went trough that single point of ip exchange.

Quote:

Btw: aravox is out of buisness since last year...
Btw2: what is a "onion router ring"?

AFAIK the aravox is still considered to be secure, it has a close-to-flawless design, but i didn't research for appliances of that scale lately.

Onion Routing is considered to be the most reliable anonymizer techniqe developed by the Navy, based on 1981 studies from David Chaum.
http://swpat.ffii.org/patents/effect.../index.en.html

[Terran]

Quote:

Originally Posted by memed

yes it is complex, but it was a carrier grade central internet gateway, it took about 1,5 man work years to make the concept. i was involved in the whole router and pix inband management stuff and resulting of this for all ip security but the aravox'es. all external business ip traffic (not endcustomer) went trough that single point of ip exchange.

Ok, THAT makes sense :-)

Quote:

Originally Posted by memed

AFAIK the aravox is still considered to be secure, it has a close-to-flawless design, but i didn't research for appliances of that scale lately.

They were indeed secure and really fast but their configuration is a real pain in the ass. That's why they went out of business...

Quote:

Originally Posted by memed

Onion Routing is considered to be the most reliable anonymizer techniqe developed by the Navy, based on 1981 studies from David Chaum.
http://swpat.ffii.org/patents/effect.../index.en.html

How does this technology fit into a security concept? I think it's counterproductiv as you as the security administrator want to know who is accessing your systems...

[Onno Kreuzinger]

Quote:

Originally Posted by Terran

How does this technology fit into a security concept? I think it's counterproductiv as you as the security administrator want to know who is accessing your systems...

read the link, sender and recipient know each other, but all transit-network equipment only knows the addresse for its own path (A-B).
the trafic delegation(routing) works by encapsulating the payload for each hop into an extra packet. each step uses encryption which assures that the routers can onyl read the address for the next hop.

Jana-proxy also uses that techniqe, even cleaner implementet (why they are not afraid of any patent, which is nonsense btw because it is allready described in the 1981 studies).

cheers

[botmeister]

Quote:

Originally Posted by Pierre-Marie Baty

it's a kernel I compiled myself to get rid of the useless hardware drivers and all the bloatware there is in a generic Linux kernel. Recompiling a custom kernel can save up to 80% kernel space, saves resources (IRQ and memory) and leads to a non neglectable speed improvement.

I find this surprising. Why would a kernel have hardware drivers directly imbedded inside of it? That makes little sense to me. My understanding of the Unix methodology is that a layered approach is taken, where the kernel is a relatively tiny component of an overall OS. Everything is layered on top of the kernel. Something sounds wrong with having drivers embedded inside a kernel.

Ah, but as my sig says "theory != practice"

What is the BSD kernel like?

[Pierre-Marie Baty]

Ah, here comes the "monolithic vs modular" troll again...

Actually it does make sense to have a monolithic kernel tailored for your hardware. I am speaking about production machines. UNIX is supposed to be a stable OS, that you hardly ever need to reboot, which runs on a machine dedicated to it. In this sense, what are the advantages of modules (hardware drivers, crypto libraries, kernel-level binaries, whatever) over a monolithic kernel ? I don't see many, since the modules are loaded when the machine boots, and ideally, are never unloaded (since loading/unloading a kernel plugin is a critical task for the system, and most of the production systems can't afford the luxe of a system failure).

Furthermore, loading/unloading/handling modules has to be done by userland programs, executables on the hard disk, which ones are bound to user and group permissions and the filesystem's security strategy like any other userland program. There is an inner security flaw in this approach. If you haven't yet you'll soon notice that a good amount of Linux exploits concern kernel modules.

Another reason why I tend to prefer monolithic kernels, is that they typically take quite less space in memory compared to their modular equivalents (once all the modules are loaded, I mean.) And with this smaller memory footprint goes a (little) faster speed of execution. The BSD kernels are all monolithic. FreeBSD has the modularity feature, but it's not as widely used at all as in Linux, and many people (especially those who run and administrate business machines) recommend not to use it and stick with a custom kernel that is perfectly tailored to suit your hardware (although the OpenBSD guys, with their well-known focus on security, recommend to keep the default monolithic kernel that comes with the installation).

[Onno Kreuzinger]

nah i wont rantle about that :-)
as PMB said, keeping the stock kernel is the safest option, for linux it's with modules, for others not.

oh and i reworked my bookmarks and found this:
http://bulk.fefe.de/
it shows some problems for the VM in OBSD.