Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: firewalls and the incoming traffic problem

From: David Collier-Brown <davecb () canada sun com>
Date: Wed, 01 Oct 1997 07:36:53 -0400
Leonard Miyata wrote:


The solutions to this problem does exist, but the traditional
'Red Book' 'Orange Book' view of network security has been
abandoned by the firewall community long ago. Bellovin and
Cheswick warned against the 'hard crunchy shell with the
soft chewy center' solution years ago in their 'Firewalls
and Internet Security'.

The MLS viewpoint was designed for the traditional military
catagories of 'Secret', 'Top Secret' and 'UnClassfied'. The
hierarchy of a subject that contains multiple levels probably
would not apply to commercial applications.

[snip]

With the current business environment for network security, I
don't see 'Red Book' technology being accepted, but I can dream...


  I see it as being as much a perception problem as anything else:
it's perfectly reasonable to have both categories and levels in
a business...
  From a former life, the company had several product lines,
each of which deserved a category, and our product was heavily used by
three different integrators.
  We needed three levels: public (unclass), nondisclosure-required
(restricted) and not-to-leak (confidential).  Each of our 
integrators needed that too, and needed to be sure that if something
was worked on ccoperatively at restricted, it didn't leak out
to a different integrator at restricted...
  Think of it like this

                  Int 1   Int 2   Sietec
                +-------+-------+-------+
confidential    |       |       |       |
                +-------+-------+-------+
restricted      |       |============   |
                +-------+I------+---I---+
unclassified    |       |I      |   I   |
                +-------+I------+---I---+
                         ============

  Tne heavy box was the project: all four categories were meaningfull
both from a security viewpoint and from a management viewpoint.
  How did we deal with it?

  We didn't.  We declassified stuff to give to everybody,
and let them worry about howe much they gave back.

--dave
-- 
David Collier-Brown,  | Always do right. This will gratify some people
185 Ellerslie Ave.,   | and astonish the rest.        -- Mark Twain
Willowdale, Ontario   | davecb () hobbes ss org, canada.sun.com
M2N 1Y3. 416-223-8968 | http://java.science.yorku.ca/~davecb
Previous By Date Next
Previous By Thread Next

Current thread: