Firewall Wizards mailing list archives
Re: firewalls and the incoming traffic problem
From: Rick Smith <rsmith () visi com>
Date: Wed, 1 Oct 1997 22:22:10 -0500
At 12:27 PM -0500 9/29/97, Leonard Miyata wrote:
The MLS viewpoint was designed for the traditional military catagories of 'Secret', 'Top Secret' and 'UnClassfied'. The hierarchy of a subject that contains multiple levels probably would not apply to commercial applications. The concept of 'Multiple Single Levels' can be applied to a business model. Instead of 'Secret', 'Top Secret' and 'Unclassified', you could have 'R&D', 'Administration' and 'Marketing'. VPN channels can be established to their remote Single Level counterparts, with defence in depth DAC, I&A, Audit, and MAC (thats Mandatory Access Control, not to be confused with the E-mail term). High security levels would have physical and virtual isolation from networks allowed public internet access. A combination of physical network topology, plus 'Orange Book' Guards and Proxy Bastion Hosts would control cross level data transfer, and limit the amount of information exposed during a possible 'incident'.
For what it's worth, I've always looked at applying these mechanisms in the opposite way. Private corporations very, very rarely show the level of paranoia achieved by military agencies when protecting secrets from disclosure. Therefore, even B1 level MLS exceeds the degree of confidentiality protection that's appropriate in most commercial information processing situations. Also the information flow in practice isn't so well isolated, since the sensitivity issues aren't as significant. So the mechanisms would interfere with typical business operations. On the other hand, we *do* face an integrity problem, which brings us back around to the start of this discussion thread. This is where MLS comes in handy -- since a "higher" level isn't allowed to modify files belonging to "lower" levels, you place the big bad Internet at a "higher" level and install the files you don't want modified at a "lower" level. This lets the Internet processes read the executable files and the configuration files, but prevents them from modifying them. This is sort of using Bell LaPadula to implement Biba, if you see what I mean. And, of course, it all works much more cleanly with Type Enforcement (tm). Rick Smith. rsmith () visi com smith () securecomputing com "Internet Cryptography" now in bookstores http://www.visi.com/crypto/
Current thread:
- RE: firewalls and the incoming traffic problem Dominique Brezinski (Oct 01)
- RE: firewalls and the incoming traffic problem Phil Cox (Oct 09)
- <Possible follow-ups>
- Re: firewalls and the incoming traffic problem Darren Reed (Oct 01)
- Re: firewalls and the incoming traffic problem David Collier-Brown (Oct 01)
- Re: firewalls and the incoming traffic problem Rick Smith (Oct 02)
- Re: firewalls and the incoming traffic problem Rick Smith (Oct 02)
- Re: firewalls and the incoming traffic problem Aleph One (Oct 02)
- Re: firewalls and the incoming traffic problem Hal Feinstein (Oct 02)
- RE: firewalls and the incoming traffic problem Bill Stout (Oct 10)
- RE: firewalls and the incoming traffic problem Bill Stout (Oct 13)
- Re: firewalls and the incoming traffic problem Adam Shostack (Oct 13)