Mon, 08 Mar 2010
snet v2
I finally released version 2 of snet's code.
It does include a granted-access ticket mecanism.
release v2
I finally released version 2 of snet's code.
It does include a granted-access ticket mecanism.
release v2
Fri, 06 Feb 2009
Wed, 22 Oct 2008
Blog
No news since a lot of time here.
I will find time to keep this place alive in the future.
Latest news was the 6th netfilter workshop, resume here, et en VF
About the 'network events connector' project, it's not dead. I moved the code to use the libnl, so I rewrote all the daemon. I still need a name for the tool, drop me a mail if you have a idea, currently it's named "snet", as "secure network" maybe.
This days, I'm working to release the code quickly, so it can be reviewed.
No news since a lot of time here.
I will find time to keep this place alive in the future.
Latest news was the 6th netfilter workshop, resume here, et en VF
About the 'network events connector' project, it's not dead. I moved the code to use the libnl, so I rewrote all the daemon. I still need a name for the tool, drop me a mail if you have a idea, currently it's named "snet", as "secure network" maybe.
This days, I'm working to release the code quickly, so it can be reviewed.
Wed, 31 Oct 2007
Mac OS X Leopard firewall
I'm waiting for Leopard since they have annonced the specifications of their firewall.
It's interesting because it's similar to the cn_net project, on which I'm working on.
Last weekend, I tried it in a shop, but well, it was no more than clicking, and looking for the configuration tool of the firewall.
Today, I looked for reviews and found this
I'm waiting for Leopard since they have annonced the specifications of their firewall.
It's interesting because it's similar to the cn_net project, on which I'm working on.
Last weekend, I tried it in a shop, but well, it was no more than clicking, and looking for the configuration tool of the firewall.
Today, I looked for reviews and found this
Fri, 14 Sep 2007
Netfilter workshop 2007
I'm in Karlsruhe, Germany for the netfilter workshop.
Today is the last day. It was very interesting for me to share ideas, and to see people.
I really enjoy to meet Thomas Graf. Our discussions was very interesting. He made a presentation about libnl.
I made a talk about the network events connector.
More informations, blog and presentations here
I'm in Karlsruhe, Germany for the netfilter workshop.
Today is the last day. It was very interesting for me to share ideas, and to see people.
I really enjoy to meet Thomas Graf. Our discussions was very interesting. He made a presentation about libnl.
I made a talk about the network events connector.
More informations, blog and presentations here
Thu, 03 May 2007
I'm not the only one
David Woodhouse re-discovered the idea behind the network events connector.
It's nice to see that this idea is a good one :)
David Woodhouse re-discovered the idea behind the network events connector.
It's nice to see that this idea is a good one :)
Thu, 26 Apr 2007
gcn_net
Work is going on the graphical front-end :
* adding support to create dynamicaly a rule
* manage the database, in order to *really* add the rule
So now, user is notified, can click the 'process' button, and can add a pre-configured rule
I have to focus on how events are going through the database, and how the decision's reply is managed in the kernel.
Work is going on the graphical front-end :
* adding support to create dynamicaly a rule
* manage the database, in order to *really* add the rule
So now, user is notified, can click the 'process' button, and can add a pre-configured rule
I have to focus on how events are going through the database, and how the decision's reply is managed in the kernel.
Mon, 23 Apr 2007
gcn_net, GTK front-end to cn_net
cn_net's goal is to put the syscall's informations to a dynamic decision's processus, so that, at the end, the syscall is ACCEPT or DENY. I'm thinking also about other states, like NOTIFY, etc.. but I will see that after.
Now, there is more on the GTK applet to control the 'rules' applied to syscall's requests, names gcn_net
I have something usefull, as I can add, search and remove rules from the database.
So now, there is a end to end working system :
* kernel is going to execute a syscall,
* request is forwarded to cn_net_daemon is userspace,
* cn_net_daemon forwards request on dbus,
* gcn_net receives the request, looks for a match on database, then 'ACCEPT' or 'DENY' the request,
* TODO : reply the decision to the kernel! This part is yet missing.
The 'Security console' (accessed by the popop-menu from the status icon gcn_net), is able to sort the rules as you which, as you can sort the 'key search' order (process, uid, ... or syscalls, uid, ..)
A rule is organised with this informations :
* processus name
* event (syscall : connect, accept, ..)
* uid
* sk_family (ipv4, ipv6, ..)
* protocol (tcp, udp, dccp, ..)
* source address and source port
* destination address and destination port
But now, I can focus on the kernel part, to support the decision's reponse, and change all the architecture docs.
Of course, here are some screenshots [1] [2] and in a different order [3] [4]
cn_net's goal is to put the syscall's informations to a dynamic decision's processus, so that, at the end, the syscall is ACCEPT or DENY. I'm thinking also about other states, like NOTIFY, etc.. but I will see that after.
Now, there is more on the GTK applet to control the 'rules' applied to syscall's requests, names gcn_net
I have something usefull, as I can add, search and remove rules from the database.
So now, there is a end to end working system :
* kernel is going to execute a syscall,
* request is forwarded to cn_net_daemon is userspace,
* cn_net_daemon forwards request on dbus,
* gcn_net receives the request, looks for a match on database, then 'ACCEPT' or 'DENY' the request,
* TODO : reply the decision to the kernel! This part is yet missing.
The 'Security console' (accessed by the popop-menu from the status icon gcn_net), is able to sort the rules as you which, as you can sort the 'key search' order (process, uid, ... or syscalls, uid, ..)
A rule is organised with this informations :
* processus name
* event (syscall : connect, accept, ..)
* uid
* sk_family (ipv4, ipv6, ..)
* protocol (tcp, udp, dccp, ..)
* source address and source port
* destination address and destination port
But now, I can focus on the kernel part, to support the decision's reponse, and change all the architecture docs.
Of course, here are some screenshots [1] [2] and in a different order [3] [4]
![[1]](project/cn_net/connect_security_console.png){kind=link}
![[2]](/project/cn_net/listen_security_console.png){kind=link}
![[3]](/project/cn_net/connect_sort_security_console.png){kind=link}
![[4]](/project/cn_net/listen_sort_security_console.png){kind=link}
Mon, 16 Apr 2007
Network events connector, cn_net
This is my current projet.
The idea is simple, we use Linux Security Modules hooks in order to get the networking activities on a box. Then, with this informations, we build a dynamic firewall, according to the admin's policy.
You don't see ? Here are some docs about architecture.
I will update this architecture soon, because lot of things have changed:
* moving from a hash tree to a rbtree, thanks to Evgeniy Polyakov
* improve the protocol communication in the connector
* added a new GTK applet, which is able to notify the alert [1] [2]
Currently, I'm working on the applet part, as my goal is that people are able to play with this, as soon as possible.
I will resubmit my kernel patch to netdev, when all the reports from Evgeniy Polyakov are fixed.
I need to resolve also problems with codying style.
Things take time, but cn_net is coming soon !
This is my current projet.
The idea is simple, we use Linux Security Modules hooks in order to get the networking activities on a box. Then, with this informations, we build a dynamic firewall, according to the admin's policy.
You don't see ? Here are some docs about architecture.
I will update this architecture soon, because lot of things have changed:
* moving from a hash tree to a rbtree, thanks to Evgeniy Polyakov
* improve the protocol communication in the connector
* added a new GTK applet, which is able to notify the alert [1] [2]
![[1]](/project/cn_net/listen.png){kind=link}
![[2]](/project/cn_net/connect.png){kind=link}
Currently, I'm working on the applet part, as my goal is that people are able to play with this, as soon as possible.
I will resubmit my kernel patch to netdev, when all the reports from Evgeniy Polyakov are fixed.
I need to resolve also problems with codying style.
Things take time, but cn_net is coming soon !
Fri, 16 Feb 2007
Starting a blog on synack.fr
I have already put blosxom on my box some times ago, but I have never start a blog.
Let's get a try !
I have already put blosxom on my box some times ago, but I have never start a blog.
Let's get a try !