Firewall Wizards mailing list archives
Re: Re[4]: Firewalls/Internet Security - TNG (long)
From: Rachel Rosencrantz <rachel.rosencrantz () predictive com>
Date: Fri, 13 Feb 1998 12:40:24 -0500
At 07:07 PM 12/11/97 -0600, Rick_Giering_at_mpg003 () ccmailgw mcgawpark baxter com wrote some stuff that got me thinking:
First, each piece of data must contain it's own identify and authorization set (eg. I'm "msg1234" created by "Joe Smith" with "Execute" authority from "Jane Smith" and "Delete Self" authority from "Ward Clever.") In fact, the data could contain multiple identities each with its own authorization sets (eg. <the above> and I'm "wrapperABC" from "Hacker" with "write to boot block" authority from "Hacker"). The OS is initially only responsible for validating the identities as either validated or unable-to-validate.
However, there needs to be some authorization verification mechanism too. Not only who has the right to authorize certain behaviors, but also, what creators can be authorized to do certain behaviors. I'm thinking more along the Confidentiality & Integrity (Bell-Lapadula/BIBA/etc) lines. Taking Joe, Dick, Jane, and Ward as our example, maybe Joe, being level A, can write data, but can't read(get) data, or make their program execute. Dick being level B can write data and read data, but cannot make their program execute. Jane being level C can write data, read data, and execute, and becuase she's an authorizor, can authorize level B people's work to execute. Ward being level C, and the grand poo-bah, can read, write, and execute data and authorize anyone to read data and anyone's work to execute. If Dick writes a message, Jane can sign it and give him authorization to execute. Dick's program can now run after being downloaded. If Joe writes a message and Jane signs it to give him authorization to execute, it still cannot execute. However, if Ward signs Joe's work for execute the program can now run. What would be needed is some way to store this authorization structure, and enforce it. The problem is that it gets more complicated as you get into the net. Not all machines have equally important information. Ideally more critical machines will be behind some other firewall/filtering mechanism with their own set of authorizations. However, having seen some of the nets I've seen that isn't always going to be the case. So at this point we are talking about having: a) A mechanism for validating that the signatures really belong to who they say they belong to. b) An authorization scheme that identifies what validated identities can do what level of activities (reading, writing, executing, reading files written by others, etc.), and what type of authorization. In some cases it might even be necessary to add to the matrix what type of machines this authorization applies to. (Jane can rwx (read, write, and execute) on "open machines" rw to "semi-open machines" and only r to "secure" machines. c) For those sites with critical machines on the same network as semi-critical and not-so-critical machines there would need to be some way of "classifying" the machines, so you could apply the table discussed as item b above in an appropriate way. (See Jane. See Jane code. See Jane's code run.) Of course, this relies on the fact that your filter/proxy can tell what those packets are going to do.
I agree that someone could put a wrapper around the data that might try to do virus kinds of things but in that case, each of its requests for actions (eg delete file, write to file) would have to be accompanied by its own authorizations and not those of the data. Also, even if the wrapper were able to get a copy of the data's authorizations, the wrapper can't be authorizated to do something if the data isn't. (eg. it can't "write to boot block" if the data it's impersonating isn't allowed to)
Ok...so now that we have this functioning authorization matrix (network data labeling mechanism) (secured in such a way that this doesn't create a further vulnerability) now we get to see what the packets sent through are trying to do. Now doing all this access control along with signature authentication up at the firewall/filter level presents a challenge that is different (I believe) than trying to do similar access control at the OS level. The problem with pushing this up to the firewall, which I think is the same problem as found by using these great sandboxes is (at least) two-fold. First off, once the data comes through the firewall, how do you keep the labels, or the meanings of the labels from getting lost. Secondly, the level of analysis of the data may be more complex than can be reasonably done at an above OS level. At the OS level you can "simply" catch all the read and write functions, at the firewall level you only have limited access to that information, and a lot of code analysis would have to happen. You could conceivably create a label policy enforced java (or DHTML or some other browser based code) environment by shunting off the java files to some particular machine that runs the java on that machine, and uses the OS to enforce the labels, and displays the results to the users machine. (I know there are some flavors of this already.) But once the data is downloaded to the users machine, unless the OS is helping out (with policy enforcement), the user can run whatever they please. Ok, ok...I know up at the top of this all Rick Giering mentioned that the _OS_ was responsible for validating. But how do we get the OS to enforce this validation/authorization. Unless you've got everyone on some thin client Network Computer where the "network is the machine", the job is pretty tough. I think the signature scheme could be use to set up some level of labeling on network data at the firewall to provide some accountability, but the OS is going to have to change, or be adapted, so those labels aren't lost or ignored. And with a bunch of laptops, how do you prevent the user from removing the modifications. I suppose when they access the net you'd have to scan the machine to make sure they hadn't removed the protection OS, and deny the connection (quarrentine) until the machine was wiped and reinstalled or verified. Just some thoughts, Rachel
Current thread:
- Re: Re[4]: Firewalls/Internet Security - TNG (long) Rachel Rosencrantz (Feb 13)