Firewall Wizards mailing list archives
Model for security (was Re: Important Comments re: INtrusion Detection )
From: John McDermott <jjm () jkintl com>
Date: Thu, 19 Feb 98 11:16:48
OK, I think we need some new sort of model, too. I guess I need an earlier starting point, though: what form should the model take? Here are some (unordered) thoughts we could perhaps use as a starting point: I'm more struggling with the form than the content at this point. That is, do we want to look at an access model (as paragraph one alludes to below) or do we want something else? Reading paragraph one below again, it seems as though the "timesharing" system isn't so far fetched a concept today as it seems, if we consider "the network is the system". Then it *sort of* distributes the system around. The problem with that is that we then have N (where N is not too small) different implementations of each part of the system, etc. So in general, I think the model needs to deal with the distributed nature of computing as we now have it. Maybe there is a heirarchical structure of: User | Local application (e.g. client) | Local system (esp. the OS) | | -- is the information about how the local and remote systems | connect significant? | Remote system (esp. the OS) | Remote application (e.g. server) This 5-tuple (is that enough?, too much?) might desrcibe an "association" for which some attributes might be enumerated. Anyway, I hope this servers as a starting point for some thought... --john --- On Wed, 18 Feb 1998 16:17:31 +0000 "Steven M. Bellovin" <smb () research att com> wrote: <...>
That's not my point. What I'm looking for is a higher-level specification of the basic *model* for security. For example, Orange Book-style systems -- independent of assurance or implementation techniques, and even independent of the Orange Book itself -- implement a model that says "you can't read information at a higher sensitivity level; you can't write information to a file with a lower sensitivity label". Now, arguably that's a useful scheme for a time-sharing machine, where you might have users with different clearances. What I'm looking for here is a model for the security properties of a firewall or IDS, in a generic Internet environment. Orange Book-style firewalls operate on sensitivity levels -- good for that environment, perhaps, but useless for most people. Granted, in the newer criteria one can claim that a product protects against assorted attacks -- but what is the *model* for what they do? Given a model, one can reason about the model itself. One can start to build security kernels that enforce it. But I haven't a clue what such a model might be.
-----------------End of Original Message----------------- ------------------------------------- Name: John McDermott VOICE: 505/377-6293 FAX 505/377-6313 E-mail: John McDermott <jjm () jkintl com> Writer and Computer Consultant -------------------------------------
Current thread:
- Model for security (was Re: Important Comments re: INtrusion Detection ) John McDermott (Feb 19)