All remote host based attacks that take place in the Internet environment use existing network tools, clients and purposefully written software to penetrate remote hosts.
To aid the description the following example is used: Two hosts involved, A and B. Host A is a mail server running a buggy version of Sendmail MTA (Mail Transport Agent) which has a buffer overflow vulnerability. An attacker, operating from host B, has a script that connects to the Sendmail port and exploits the buffer overflow thus gaining the attacker root shell access to the remote machine, host A.
Obeying the principle of least privilege, mandatory security policy of an system should be able to restrict network connections to only the processes that legitimately need them. In the above example, if such a policy was in place, the attacker's script would be denied the permission to establish connection with Sendmail on host A as the only software that needs to be able to communicate to remote MTAs are local MDA (Mail Delivery Agent) i.e. mail clients and local MTA used for relaying mail, if it exists. Furthermore, local MTA and MDA should not be allowed to establish network connections if destination port is different than 25 (mail exchange/delivery port) as they do not need the functionality for the correct operation. It is impossible to enable this sort of behavior by using the traditional firewall approach as the firewall software available can not be used to specify fine-grained enough policy which would make distinction between individual processes as needed. This is exactly where the IP Labeling model fits in, depicted in Figure 4.4.1.
Acronym IPL is used to mean IP Labeling in the rest of the text.
