Re: Important Comments re: INtrusion Detection

[mcnabb () argus-systems com (Paul McNabb)]

>  From smb () research att com Wed Feb 18 10:21 CST 1998
>  
>  That's not my point.  What I'm looking for is a higher-level
>  specification of the basic *model* for security.  For example,
>  Orange Book-style systems -- independent of assurance or implementation
>  techniques, and even independent of the Orange Book itself --
>  implement a model that says "you can't read information at a
>  higher sensitivity level; you can't write information to a file
>  with a lower sensitivity label".  Now, arguably that's a useful
>  scheme for a time-sharing machine, where you might have users
>  with different clearances.
>  
>  What I'm looking for here is a model for the security properties
>  of a firewall or IDS, in a generic Internet environment.  Orange
>  Book-style firewalls operate on sensitivity levels -- good for that
>  environment, perhaps, but useless for most people.  Granted, in
>  the newer criteria one can claim that a product protects against assorted
>  attacks -- but what is the *model* for what they do?  Given a model,
>  one can reason about the model itself.  One can start to build
>  security kernels that enforce it.
>  
>  But I haven't a clue what such a model might be.

What I was trying to point out is that one of the points of the new
common criteria is to allow you to write such a model.  A very small
piece of the CC has to do with what most people think of as the
Orange Book way of doing security.  The concept of a Protection Profile
will allow you to define a model that is intended to protect a system
(or something less than a complete system) against a defined set of
threats.  In essense, you can write your own "orange book", complete
with rationalizations, assumptions, environments, threats, and of
course, "protection mechanisms" and assurances.

All this being said, even the CC doesn't let you model everything, nor
does it address some key fundamentals that you may want/need to have
to address the issue of building a model.  I agree with you.  There
needs to be some serious thinking about the fundamental issue of what
security really is, what is being protected, why it is being protected,
how various components and requirements interact, and what the tradeoffs
are.

Right now it seems that companies are building products to meet needs
that are several levels removed from the core issues.  There are a lot
of responses to particular attacks or types of attacks without there
being any real theoretical basis for the solution.

Does anyone know of a group working on this level of the security issue?
I would assume any such work would be most likely found in either a
academic environment or a quasi-commercial or government "think tank"
group.

paul

---------------------------------------------------------
Paul McNabb                     Argus Systems Group, Inc.
Vice President and CTO          1809 Woodfield Drive
mcnabb () argus-systems com        Savoy, IL 61874 USA
TEL 217-355-6308
FAX 217-355-1433                "Securing the Future"
---------------------------------------------------------