RE: Re: Air Gaps vs. Firewalls

[<rreiner () fscinternet com>]

> In other words you're trying to restrict the URLs *at the firewall* 
to match the anticipated
> properties of the web applications being restricted on one side or 
the other.

Absolutely.  That's what the whale device tries to do, and it sounds 
VERY desirable to me -- principle of least privilege, and all that :-)

The individual(s) who write application logic to process a particular 
URL should NOT also be able to allow that URL to enter the environment 
(nor should they be able to publish their own application code into the 
environment, for that matter).

Certainly it's tricky; but least-privilege environments are always 
tricky to work in.  If your risk analysis and your CBA tell you it's 
worth the effort, though, it's nice to have the option, which you don't 
unless you have this level of granularity in the 
firewall-or-other-perimeter-defence-device.

> You can't expect sysadmins to do this and I'm not sure the 
> application developers could do it, either.

It certainly isn't a good fit for the SME world... elsewhere, it can be 
worth the effort.

> This is a surprise to me. Do web site developers really work 
> with specs that would clearly define the possible values flowing 
through 
> a URL? Is this common anywhere except perhaps the most sophisticated 
> sites?

Well, it's certainly true in some of the environments we work in.  But, 
as above, definitely not in the SME world.

> Even if one has such specs, wouldn't it make more sense to use those 
specs to 
> automatically generate range and type checking code at the server end?

No -- least privilege again.  Content checking should absolutely not be 
automatically generated from the code, or from the spec written by the 
code group.

> Another approach that addresses these problems but has not 
> prospered in the marketplace is to run the web server on a host with 
some sort 
> of mandatory access control. We offered such a thing on Sidewinder 
for a 
> while, and HP offers something similar as "Virtual Vault."

Yep.  We haven't worked with Sidewinder's version of this, but have 
seen VVOS up-close-and-uncomfortable.  Would have been a nice product 
if it had worked right.  Although I hear they have a new version which 
rips out a large and troublesome chunk of the product (a third-party 
product which had previously been integrated, and was absolutely 
necessary in complex environments) and replaces it with a different 
product which ought to work better.

Richard
--
.
. Richard Reiner, Ph.D.
. FSC Internet Corp. / SecureXpert Labs
. The FSC Building, 188 Davenport Rd.,
. Toronto, Ontario, Canada  M5R 1J2
. +1 416 921 4280, Fax +1 416 966 2451
. rreiner () fscinternet com, rreiner () securexpert com
. www.fscinternet.com, www.securexpert.com
.
============================================
This message may contain confidential and/or proprietary information,
and is intended only for the person/entity to whom it was originally
addressed. The content of this message may contain private views and
opinions which do not constitute a formal disclosure or commitment
unless specifically stated.


_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards