Firewall Wizards mailing list archives
Re: firewalls and the incoming traffic problem
From: David Collier-Brown <davecb () canada sun com>
Date: Wed, 01 Oct 1997 07:36:53 -0400
Leonard Miyata wrote:
The solutions to this problem does exist, but the traditional 'Red Book' 'Orange Book' view of network security has been abandoned by the firewall community long ago. Bellovin and Cheswick warned against the 'hard crunchy shell with the soft chewy center' solution years ago in their 'Firewalls and Internet Security'. The MLS viewpoint was designed for the traditional military catagories of 'Secret', 'Top Secret' and 'UnClassfied'. The hierarchy of a subject that contains multiple levels probably would not apply to commercial applications.
[snip]
With the current business environment for network security, I don't see 'Red Book' technology being accepted, but I can dream...
I see it as being as much a perception problem as anything else: it's perfectly reasonable to have both categories and levels in a business... From a former life, the company had several product lines, each of which deserved a category, and our product was heavily used by three different integrators. We needed three levels: public (unclass), nondisclosure-required (restricted) and not-to-leak (confidential). Each of our integrators needed that too, and needed to be sure that if something was worked on ccoperatively at restricted, it didn't leak out to a different integrator at restricted... Think of it like this Int 1 Int 2 Sietec +-------+-------+-------+ confidential | | | | +-------+-------+-------+ restricted | |============ | +-------+I------+---I---+ unclassified | |I | I | +-------+I------+---I---+ ============ Tne heavy box was the project: all four categories were meaningfull both from a security viewpoint and from a management viewpoint. How did we deal with it? We didn't. We declassified stuff to give to everybody, and let them worry about howe much they gave back. --dave -- David Collier-Brown, | Always do right. This will gratify some people 185 Ellerslie Ave., | and astonish the rest. -- Mark Twain Willowdale, Ontario | davecb () hobbes ss org, canada.sun.com M2N 1Y3. 416-223-8968 | http://java.science.yorku.ca/~davecb
Current thread:
- RE: firewalls and the incoming traffic problem Dominique Brezinski (Oct 01)
- RE: firewalls and the incoming traffic problem Phil Cox (Oct 09)
- <Possible follow-ups>
- Re: firewalls and the incoming traffic problem Darren Reed (Oct 01)
- Re: firewalls and the incoming traffic problem David Collier-Brown (Oct 01)
- Re: firewalls and the incoming traffic problem Rick Smith (Oct 02)
- Re: firewalls and the incoming traffic problem Rick Smith (Oct 02)
- Re: firewalls and the incoming traffic problem Aleph One (Oct 02)
- Re: firewalls and the incoming traffic problem Hal Feinstein (Oct 02)
- RE: firewalls and the incoming traffic problem Bill Stout (Oct 10)
- RE: firewalls and the incoming traffic problem Bill Stout (Oct 13)
- Re: firewalls and the incoming traffic problem Adam Shostack (Oct 13)