Re: Important Comments re: INtrusion Detection

["Steven M. Bellovin" <smb () research att com>]

> Actually, the old Orange Book model tried to define a level of security
> plus what you need to do to verify that the product performed (assurance).
> The European ITSEC and the new Common Criteria have an entirely different
> approach.  The primary document for an evaluation is a required "Security
> Target" document that describes 1) the threats you claim to counter, 2) the
> features of your product that are used to eliminate or reduce the threat,
> 3) the environment you expect to run in (physical, legal, etc.), and 4) any
> assumptions you have made (e.g., physical security).  Everything in the
> evaluation revolves around verifying the claims of the Security Target.
>
> If you are looking at any product (crypto, network, OS, database, whole
> system, etc.) that claims either an ITSEC or a CC certification, you can
> request this document from the vendor.  If the Security Target claims that
> the product counters certain denial of service, file system, authentication,
> or network attacks, you can then see what mechanisms they claim to be
> using and also how much the evaluators analyzed the documents and product
> (including penetration testing).
>
> These newer government certification procedures are much more flexible
> and useful than the older Orange Book stuff, even though some of the
> old terminology (C2, B1) is still in use.  Newer evaluations can claim
> an Orange Book level if the security enforcing mechanisms in the Security
> Target are a superset of the Orange Book level you are claiming to meet.
>
> A *secure* Unix system would be one that meets your definition of
> security in the Security Target defined for the system.  The CC has
> a concept of a Protection Profile that can be used to define a generic
> security definition that can be used as the basis for the claims of a
> Security Target.  The guys have done a really good job here.  Check out
> the definitions (particularly Part 2) in the Version 2.0 DRAFT (12/97).
>
>     http://csrc.nist.gov/cc/info/infolist.htm

That's not my point.  What I'm looking for is a higher-level
specification of the basic *model* for security.  For example,
Orange Book-style systems -- independent of assurance or implementation
techniques, and even independent of the Orange Book itself --
implement a model that says "you can't read information at a
higher sensitivity level; you can't write information to a file
with a lower sensitivity label".  Now, arguably that's a useful
scheme for a time-sharing machine, where you might have users
with different clearances.

What I'm looking for here is a model for the security properties
of a firewall or IDS, in a generic Internet environment.  Orange
Book-style firewalls operate on sensitivity levels -- good for that
environment, perhaps, but useless for most people.  Granted, in
the newer criteria one can claim that a product protects against assorted
attacks -- but what is the *model* for what they do?  Given a model,
one can reason about the model itself.  One can start to build
security kernels that enforce it.

But I haven't a clue what such a model might be.