Firewall Wizards mailing list archives
RE: [ISN] New Defence Computer Keeps Hackers Out and Secret (fwd)
From: Jeremy Epstein <jepstein () tis com>
Date: Wed, 28 Oct 1998 21:03:23 -0500
Paul, At 08:04 AM 10/28/98 -0600, Paul McNabb wrote:
You are right. Last week I went back and looked more closely at what they had done, and it isn't really CMW trusted X Window stuff, though it is solving some of the same types of problems. In fact, this looks a lot like some of the work done at NRL over the last few years. The NRL folks were solving the problem of having information flow only from low systems to high systems. They did this by replicating databases on different systems and providing a one-way communication mechanism to send transactions up the chain to higher systems.
Yes, it is solving some of the same problems as CMWs tried to, but in a totally different way (and one which can give a lot of assurance, which is something CMWs were always weak on). It's sort of related to the stuff NRL is doing, in that one of the things it provides is safe upward flow without leakage. It's much simpler than what NRL did, though, because they don't try to use queues to avoid loss... they rely on things being fast enough not to lose packets.
I was sitting next to a bunch of military guys while the NRL project was being presented, and the most interesting comment I heard was something like "Big deal. We aren't concerned about secure upgrading, we can do that now. We want secure downgrading." I'm not sure if this is the general feeling about the rash of "diodes" now coming on the market, but I think there is still a great need for secure, bi-directional flow.
I understand why the military folks say that. And sometimes I say it too :-)
Galaxy Computer Services, Inc. (www.gcsi.com) makes something they call an "Information Diode" which is based on Linux running on PCs. They use two systems running modified tftp protocols on top of "hardened" (not trusted) versions of the operating system. They claims are similar: information can flow in only one direction. The site says that source is delivered with the product.
Yes, I've heard about it. Haven't had a chance to look at it, but I'm extremely suspicious of people who claim to have one way flows built on top of relatively untrustworthy platforms. For example, NRL built several versions of their Pump one-way transfer. The versions built on Windows NT are a great demo, but neither they nor I would ever rely on them for an actual one-way device. Not sure about the Galaxy device being in that same category.
BTW, wasn't your solution at TRW the one that used multiple instantiations of the X server, each handling a separate security level?
Yes, that's correct. And in a certain sense, that's what the Australians did, except they use multiple instantiations of the X server in *hardware*, while I did it in *software*. Because I did it in software, I needed a trusted operating system to make it work, but I could support as many levels as you wanted. Because they do it in hardware, they require multiple boxes (one per unique level/category combination), but they don't need a trusted operating system. Viva la difference :-) ---------------------------------+------------------------------------- | Jeremy Epstein | E-mail: jepstein () tis com | | TIS Labs at Network Associates | Voice: +1 (703) 356-4938 | | Northern Virginia Office | Fax: +1 (703) 821-8426 | ---------------------------------+-------------------------------------
Current thread:
- [ISN] New Defence Computer Keeps Hackers Out and Secret (fwd) ark (Oct 16)
- Re: [ISN] New Defence Computer Keeps Hackers Out and Secret (fwd) John Nicholson (Oct 19)
- Re: [ISN] New Defence Computer Keeps Hackers Out and Secret (fwd) Christopher Nicholls (Oct 19)
- Re: [ISN] New Defence Computer Keeps Hackers Out and Secret (fwd) Technical Incursion Countermeasures (Oct 23)
- Re: [ISN] New Defence Computer Keeps Hackers Out and Secret (fwd) Rick Murphy (Oct 23)
- <Possible follow-ups>
- RE: [ISN] New Defence Computer Keeps Hackers Out and Secret (fwd) Peter Mayne (Oct 19)
- RE: [ISN] New Defence Computer Keeps Hackers Out and Secret (fwd) Paul McNabb (Oct 23)
- Re: [ISN] New Defence Computer Keeps Hackers Out and Secret (fwd) Steve Bellovin (Oct 27)
- RE: [ISN] New Defence Computer Keeps Hackers Out and Secret (fwd) Paul McNabb (Oct 28)
- RE: [ISN] New Defence Computer Keeps Hackers Out and Secret (fwd) Jeremy Epstein (Oct 28)