Securing Network Services with FreeBSD Jails

In this article by Christer Edwards, we will explore FreeBSD Jails. FreeBSD Jails are a kernel-level security mechanism which allows you to safely segregate processes within a sandbox environment. Jails are commonly used to secure production network services like DNS or Email by restricting what a process can access. In the case of a malicious attack on one service, all other Jailed processes would remain secure. FreeBSD Jails securely limits, in an administratively simple way, the amount of damage an attacker can do to a server.

Introduction

Is it possible to easily run a half-dozen internet services on a single piece of hardware and make sure that if one is compromised the others will remain unharmed? Can this be done without a mountain of administrative overhead and customization? Can I configure my services the way I have grown accustomed? Absolutely! This article will outline how to achieve this, through the use of FreeBSD Jails.

Over the course of this article I will outline how to install a list of production services on a single piece of hardware, securing each one from the next, all with only one additional administrative tool: ezjail

Before we get to the ezjail tool we need to define FreeBSD Jails. What are they? What do they do? Why do I care?

FreeBSD Jails are a kernel-level security tool used widely in the FreeBSD community to segregate processes. An easy way to think of a Jail is that it is very much like a chroot environment, but much more hardened. While a standard chroot environment can often be escaped, FreeBSD has added code to their kernel which hardens the chroot environment into a “Jail”—Inescapable. Within this Jailed environment processes are unable to identify, access or otherwise communicate with processes on the outside of the Jail. Networking is limited within the Jail as well. A Jail cannot affect any underlying network configuration other than that which it has been assigned. A Jail can also be thought of in many ways like a virtualized machine in that the virtual “guest” cannot interact with the physical “host”. Jails allow us the opportunity to run processes in a secure manner separate from our host environment.

If that sounds appealing to you may be wondering how to activate and use this Jail system. That, my friend, is the focus of this article. Get settled because by the time we’re done here you will have all the tools you need to segregate processes for security, sandboxing or even create custom environments for other users.

By default the Jail system is part of the FreeBSD kernel. The kernel customizations to make the system possible have such a minimal footprint that it was decided it should be a default, always-on feature of FreeBSD. Your FreeBSD installation already has the ability to do everything described above, you just need to know how to use it. Continue

Read the whole article on setting up, configuring and running FreeBSD Jails

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>