Model for security (was Re: Important Comments re: INtrusion Detection )

[John McDermott <jjm () jkintl com>]

OK,  I think we need some new sort of model, too.  I guess I need an 
earlier starting point, though: what form should the model take?

Here are some (unordered) thoughts we could perhaps use as a starting 
point:

I'm more struggling with the form than the content at this point.  That is, 
do we want to look at an access model (as paragraph one alludes to below) 
or do we want something else?

Reading paragraph one below again, it seems as though the "timesharing" 
system isn't so far fetched a concept today as it seems, if we consider 
"the network is the system".  Then it *sort of* distributes the system 
around.  The problem with that is that we then have N (where N is not too 
small) different implementations of each part of the system, etc.

So in general, I think the model needs to deal with the distributed nature 
of computing as we now have it.  Maybe there is a heirarchical structure 
of:
        User
         |
        Local application (e.g. client)
         |
        Local system (esp. the OS)
         |
         | -- is the information about how the local and remote systems
         |      connect significant?
         |
        Remote system (esp. the OS)
         |
        Remote application (e.g. server)

This 5-tuple (is that enough?, too much?) might desrcibe an "association" 
for which some attributes might be enumerated.

Anyway, I hope this servers as a starting point for some thought...

--john

--- On Wed, 18 Feb 1998 16:17:31 +0000  "Steven M. Bellovin" 
<smb () research att com> wrote:

<...>
> That's not my point.  What I'm looking for is a higher-level
> specification of the basic *model* for security.  For example,
> Orange Book-style systems -- independent of assurance or implementation
> techniques, and even independent of the Orange Book itself --
> implement a model that says "you can't read information at a
> higher sensitivity level; you can't write information to a file
> with a lower sensitivity label".  Now, arguably that's a useful
> scheme for a time-sharing machine, where you might have users
> with different clearances.
>
> What I'm looking for here is a model for the security properties
> of a firewall or IDS, in a generic Internet environment.  Orange
> Book-style firewalls operate on sensitivity levels -- good for that
> environment, perhaps, but useless for most people.  Granted, in
> the newer criteria one can claim that a product protects against assorted
> attacks -- but what is the *model* for what they do?  Given a model,
> one can reason about the model itself.  One can start to build
> security kernels that enforce it.
>
> But I haven't a clue what such a model might be.

-----------------End of Original Message-----------------

-------------------------------------
Name: John McDermott
VOICE: 505/377-6293 FAX 505/377-6313
E-mail: John McDermott <jjm () jkintl com>
Writer and Computer Consultant
-------------------------------------