http://www.gcn.com/online/vol1_no1/45944-1.html
By Joab Jackson
GCN.com
03/10/08
PHILADELPHIA — The National Security Agency is leading an effort to
extend its access control work into the arena of network file storage.
The effort involves integrating NSA's Flask mandatory access control
(MAC) architecture — now the basis of Security-Enhanced Linux (SELinux)
— into the Network File System (NFS) protocol widely used for
network-attached storage devices.
David Quigley of NSA's National Information Assurance Research
Laboratory presented the latest work on the project, called Labeled NFS
at the 71st meeting of the Internet Engineering Task Force this week in
Philadelphia. IETF currently oversees the NFS protocol.
NSA initiated and led the effort to develop SELinux, an implementation
of NSA's Flask MAC architecture for Linux. With MAC, programs and users
are assigned attributes such as security levels. Whenever a program
spawns a process thread or calls a file, the attributes are checked
against the organization's authorization rules.
By deploying MAC, organizations can ensure that machine intruders don't
hijack programs to execute malicious tasks, and they can prevent
employees from accessing documents they don't have permission to view.
Labeled NFS extends those features across the network. By having NFS
handle MAC labels, someone using a trusted computer can read and write
files and execute programs that reside on NFS-based network storage.
Today, the Flask architecture requires that all programs and files be
stored locally.
Labeled NFS can work in smart mode, which allows the file server to make
access control decisions, or dumb mode, which means it takes
instructions from the client machine.
James Morris, principal software engineer at Red Hat, published the
first recommendation for this approach, originally called Security
Enhanced NFS, last summer. The company incorporates SELinux into its Red
Hat Enterprise Linux operating system.
In addition to SELinux, Labeled NFS could also support Solaris Trusted
Extensions, TrustedBSD and Security Enhanced Darwin, a MAC-enhanced
version of the Apple operating system.
___________________________________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
