Re: Re[4]: Firewalls/Internet Security - TNG (long)

[Rachel Rosencrantz <rachel.rosencrantz () predictive com>]

At 07:07 PM 12/11/97 -0600,
Rick_Giering_at_mpg003 () ccmailgw mcgawpark baxter com wrote some stuff that
got me thinking:

> First, each piece of data must contain it's own identify and authorization 
> set (eg. I'm "msg1234" created by "Joe Smith" with "Execute" authority from 
> "Jane Smith" and "Delete Self" authority from "Ward Clever.") In fact, the 
> data could contain multiple identities each with its own authorization sets 
> (eg. <the above> and I'm "wrapperABC" from "Hacker" with "write to boot 
> block" authority from "Hacker"). The OS is initially only responsible for 
> validating the identities as either validated or unable-to-validate.

However, there needs to be some authorization verification mechanism
too.  Not only who has the right to authorize certain behaviors, but
also, what creators can be authorized to do certain behaviors.

I'm thinking more along the Confidentiality & Integrity 
(Bell-Lapadula/BIBA/etc) lines.  Taking Joe, Dick, Jane, and Ward as our
example, maybe 
Joe, being level A, can write data, but can't read(get) data, or make their
program execute. 
Dick being level B can write data and read data, but cannot make their
program execute.
Jane being level C can write data, read data, and execute, and 
becuase she's an authorizor, can authorize level B people's work to execute.
Ward being level C, and the grand poo-bah, can read, write, and
execute data and authorize anyone to read data and anyone's work to execute.

If Dick writes a message, Jane can sign it and give him authorization to
execute.  Dick's program can now run after being downloaded.

If Joe writes a message and Jane signs it to give him authorization to 
execute, it still cannot execute.

However, if Ward signs Joe's work for execute the program can
now run. 

What would be needed is some way to store this authorization structure, 
and enforce it. 

The problem is that it gets more complicated as you get into the net.
Not all machines have equally important information. Ideally more
critical machines will be behind some other firewall/filtering mechanism
with their own set of authorizations.  However, having seen some
of the nets I've seen that isn't always going to be the case.

So at this point we are talking about having:
a) A mechanism for validating that the signatures really belong to who
   they say they belong to. 

b) An authorization scheme that identifies what validated identities
   can do what level of activities (reading, writing, executing, reading 
   files written by others, etc.), and what type of authorization. In some 
   cases it might even be necessary to add to the matrix what type of machines
   this authorization applies to. (Jane can rwx (read, write, and execute) on
   "open machines" rw to "semi-open machines" and only r to "secure" machines.

c) For those sites with critical machines on the same network as 
   semi-critical and not-so-critical machines there would need to be some
   way of "classifying" the machines, so you could apply the table
   discussed as item b above in an appropriate way.  (See Jane. See Jane
   code. See Jane's code run.) 

Of course, this relies on the fact that your filter/proxy can tell
what those packets are going to do.  

> I agree that someone could put a wrapper around the data that might try to 
> do virus kinds of things but in that case, each of its requests for actions 
> (eg delete file, write to file) would have to be accompanied by its own 
> authorizations and not those of the data. Also, even if the wrapper were 
> able to get a copy of the data's authorizations, the wrapper can't be 
> authorizated to do something if the data isn't. (eg. it can't "write to 
> boot block" if the data it's impersonating isn't allowed to)

Ok...so now that we have this functioning authorization matrix 
(network data labeling mechanism)
(secured in such a way that this doesn't create a further vulnerability)
now we get to see what the packets sent through are trying to do. 

Now doing all this access control along with signature
authentication up at the firewall/filter level presents
a challenge that is different (I believe) than trying to do similar
access control at the OS level. 

The problem with pushing this up to the firewall, which
I think is the same problem as found by using these great sandboxes
is (at least) two-fold.  First off, once the data comes through the firewall,
how do you keep the labels, or the meanings of the labels from getting
lost.  

Secondly, the level of analysis of the data may be more complex than
can be reasonably done at an above OS level.  At the OS level you can
"simply" catch all the read and write functions, at the firewall level
you only have limited access to that information, and a lot of code analysis
would have to happen.  

You could conceivably create a label policy enforced
java (or DHTML or some other browser based code) environment by 
shunting off the java files to some particular machine that runs the 
java on that machine, and uses the OS to enforce the labels, and displays
the results to the users machine. (I know there are some flavors of this
already.)  But once the data is downloaded to the users
machine, unless the OS is helping out (with policy enforcement), 
the user can run whatever they please. 

Ok, ok...I know up at the top of this all Rick Giering mentioned
that the _OS_ was responsible for validating.  But how do we get
the OS to enforce this validation/authorization.  Unless you've got
everyone on some thin client Network Computer where the "network is 
the machine", the job is pretty tough.  

I think the signature scheme could be use to set up some level of 
labeling on network data at the firewall  to provide some accountability, 
but the OS is going to have to change, or be adapted, so those labels 
aren't lost or ignored.  And with a bunch of
laptops, how do you prevent the user from removing
the modifications.  I suppose when they access the net you'd have
to scan the machine to make sure they hadn't removed the protection OS,
and deny the connection (quarrentine) until the machine was wiped and
reinstalled or verified. 

Just some thoughts,
Rachel