Firewall Wizards mailing list archives

Re: firewalls and the incoming traffic problem

From: Rick Smith <rsmith () visi com>
Date: Wed, 1 Oct 1997 22:22:10 -0500

At 12:27 PM -0500 9/29/97, Leonard Miyata wrote:

The MLS viewpoint was designed for the traditional military
catagories of 'Secret', 'Top Secret' and 'UnClassfied'. The
hierarchy of a subject that contains multiple levels probably
would not apply to commercial applications. The concept of
'Multiple Single Levels' can be applied to a business model.
Instead of 'Secret', 'Top Secret' and 'Unclassified', you could
have 'R&D', 'Administration' and 'Marketing'. VPN channels can
be established to their remote Single Level counterparts, with
defence in depth DAC, I&A, Audit, and MAC (thats Mandatory
Access Control, not to be confused with the E-mail term). High
security levels would have physical and virtual isolation from
networks allowed public internet access. A combination of physical
network topology, plus  'Orange Book' Guards and Proxy Bastion
Hosts would control cross level data transfer, and limit the
amount of information exposed during a possible 'incident'.


For what it's worth, I've always looked at applying these mechanisms in the
opposite way. Private corporations very, very rarely show the level of
paranoia achieved by military agencies when protecting secrets from
disclosure. Therefore, even B1 level MLS exceeds the degree of
confidentiality protection that's appropriate in most commercial
information processing situations. Also the information flow in practice
isn't so well isolated, since the sensitivity issues aren't as significant.
So the mechanisms would interfere with typical business operations.

On the other hand, we *do* face an integrity problem, which brings us back
around to the start of this discussion thread. This is where MLS comes in
handy -- since a "higher" level isn't allowed to modify files belonging to
"lower" levels, you place the big bad Internet at a "higher" level and
install the files you don't want modified at a "lower" level. This lets the
Internet processes read the executable files and the configuration files,
but prevents them from modifying them. This is sort of using Bell LaPadula
to implement Biba, if you see what I mean. And, of course, it all works
much more cleanly with Type Enforcement (tm).

Rick Smith.                rsmith () visi com           smith () securecomputing com
"Internet Cryptography" now in bookstores  http://www.visi.com/crypto/

Current thread:

RE: firewalls and the incoming traffic problem Dominique Brezinski (Oct 01)
- RE: firewalls and the incoming traffic problem Phil Cox (Oct 09)
- <Possible follow-ups>
- Re: firewalls and the incoming traffic problem Darren Reed (Oct 01)
- Re: firewalls and the incoming traffic problem David Collier-Brown (Oct 01)
- Re: firewalls and the incoming traffic problem Rick Smith (Oct 02)
- Re: firewalls and the incoming traffic problem Rick Smith (Oct 02)
  - Re: firewalls and the incoming traffic problem Aleph One (Oct 02)
- Re: firewalls and the incoming traffic problem Hal Feinstein (Oct 02)
- RE: firewalls and the incoming traffic problem Bill Stout (Oct 10)
- RE: firewalls and the incoming traffic problem Bill Stout (Oct 13)
  - Re: firewalls and the incoming traffic problem Adam Shostack (Oct 13)