Re: firewalls and the incoming traffic problem

[Jeromie Jackson <jeromie () garrison com>]

At 10:22 PM 10/1/97 -0500, Rick Smith wrote:
> On the other hand, we *do* face an integrity problem, which brings us back
> around to the start of this discussion thread. This is where MLS comes in
> handy -- since a "higher" level isn't allowed to modify files belonging to
> "lower" levels, you place the big bad Internet at a "higher" level and
> install the files you don't want modified at a "lower" level. This lets the
> Internet processes read the executable files and the configuration files,
> but prevents them from modifying them. This is sort of using Bell LaPadula
> to implement Biba, if you see what I mean. And, of course, it all works
> much more cleanly with Type Enforcement (tm).

I would also inject that Sidewinder uses independant "domains" for each of
the daemons running (Sendmail, telnet, etc,etc.) whereas other products
such as Cyberguard have 2 levels (Network, and System).  Because of the
additional compartmentalization within SCC, more granular process
containment is achieved.  If only 2 levels are used, compromise of SMTP for
example would provide the attacker the opportunity to also attack the rest
of the 'domains' or compartments.  In a Sidewinder box, compromise of SMTP,
or other daemons, would only allow the attacker to touch files and system
calls associated with only that process.  If a daemon were to be
compromised any attempts to circumvent other domains, or the touching of
files not directly related to the daemons process would cause a
type-enforcement fault, and alams would be generated.

In another note, the National Information Assurance Partnership (NIAP)
currently has a single level for firewall assurance.  Since a few firewalls
in the market deploy DTE or other MAC based mechanisms, this is truely an
injustice.  Comparing the compartmentalization between DAC only, and those
products containing DAC & MAC obviously there are levels of security.  I
hope that others will agree, and express their opinion to the working
group.  I am working on a paper for submittal in hopes to change this
obnoxious flaw in their ratings.  It is not fair to the commercial
community to not have some showing within the NIAP firewall profile that
there are a range of security levels.  Firewalls do not all have the same
level of assurance, or compartmentalization of vulnerabilities.

  
Jeromie Jackson
Senior Security Engineer
Garrison Technologies
jeromie () garrison com
760-633-1843