Firewall Wizards mailing list archives
RE: Security Policy methodologies
From: Hal <hal () mrj com>
Date: Mon, 29 Dec 1997 16:22:12 -0500
Bert, Abstract security architectures including notions of completness were the basis of the Orange Book and rainbow books. Roughly, a fundamentally secure model was described by the various "trusted system" of the OB. Security of another types of systems was defined as a correspondance between the target architecture and one of the OB stand alone machines. A complete mapping (or less formally a correspondance) was necessary to demonstrate a secure design (since the TCSEC security model was secure [by definition] and the mapping "sound" then the target must also be secure . This is a very interesting headgame. I played around with applying this idea to the several firewall architectures described in Chapman. (It would be fun to see someone go through with that analysis. :) Dockmaster.ncsc.mil, may have more stuff on this. One word of caution, having precise definitions is the real problem and not the mappings. These "interps" were never easy to arrive at and very intelligent people would argue about fine distinctions for months. Good luck. ---------- From: Bret Watson[SMTP:lists () bwa net] Reply To: Bret Watson Sent: Monday, December 29, 1997 1:55 PM To: firewall-wizards () nfr net Subject: Security Policy methodologies I'm seeking information on any methodologies for developing Security Policies. Basically, I'm developing a paper of utilising software engineering techniques to abstract the process and to analyse the result for completness. I need to know if this has been tried and what other methods do people use to create the policy document? I'll sumarise the results and post them to the list as well as posting the url of the finished paper. Yours, Bret Watson Technical Incursion Countermeasures Providing the means for your company's self-defense consulting () bwa net http://www.ticm.com/ ph: (+61)(08) 9429 8898(UTC+8 hrs) fax: (+61)(08) 9429 8800
Current thread:
- RE: Security Policy methodologies Hal (Dec 29)