[FAQ] ReHIPS network control

Started by fixer, October 29, 2018, 02:17:17 PM

Previous topic - Next topic

fixer

If you've been following ReHIPS since early versions, you probably remember there was network control for programs at first and then it migrated to isolated environment. From ReHIPS 2.4.0 network control is possible for both isolated environments and programs. So what's the deal with all these changes?

At first each program had its own isolated environment, so having this program blocked from network access basically meant having the network access blocked for the corresponding isolated environment. But later we enabled each isolated environment to have multiple programs. And then network control was moved to isolated environment. Why? Because it's a security boundary. A program can't escape isolated environment, the isolated environment doesn't have network access, so the program is guaranteed to be blocked from the network. But later we received multiple requests to return network control on a program-wise basis. And so we did. But keep in mind, that it's only for well-behaving programs, it's not a security boundary! In other words, if a program is benevolent, tries to make a network connection and obediently agrees if it's not given, then it remains offline. But if a program is malicious, doesn't agree and starts misbehaving like injecting into other programs running is the same isolated environment (it can do this as they're in the same isolated environment) and these other programs along with the isolated environment are allowed to have network access, the program will also access network through them. So keep this in mind, program-wise network control is not for strong security, it's for convenience and usability.