Firewall Wizards mailing list archives

Re: Security Policy methodologies

From: Rick Smith <smith () securecomputing com>
Date: Wed, 31 Dec 1997 10:23:34 -0600

At 6:55 PM -0600 12/29/97, Bret Watson wrote:

I'm seeking information on any methodologies for developing
Security Policies.


I've seen two general approaches: top down or bottom up. Though you're
obviously doing the top-down approach, let me comment briefly on the
alternative.

I think there was a paper by some folks at Hanscom AFB on this at ACSAC in
'96. The basic approach was to identify the types of network traffic
currently present, justify all that traffic, and then configure the
firewall to support that traffic. First, they ran a firewall with no
filtering enabled but with all logging enabled in order to identify all
traffic passing through their point of presence. Then they systematically
accounted for all traffic they could. This consisted of contacting the
people using various services and protocols to verify that the
communications were in fact intended and that they supported an appropriate
mission. Then they configured the firewall to support exactly the traffic
required. In a few cases they couldn't track down the users of some obscure
things, so they just disabled them. Naturally, a few protocols were not
detected during their analysis phase and had to be added later.

Personally, I don't think this is a way to achieve recognizable security
objectives. But it's not clear to me that a heterogeneous organization can
achieve such objectives with a multifunction Internet connection. At some
point the firewall lets through so much traffic that it's simply a
deterrent: a fig leaf instead of a suit of armor. This is considered
acceptable security in many places.

An interesting wrinkle I've seen recently in doing top-down analysis and
decomposition is the recent dissertation by Darrell Kienzle on using a
variant of fault trees to do the analysis. Assuming it hasn't moved, a
recent paper on the concept resides at

     http://www.cs.virginia.edu/~dmk8r/NSPW97.ps

while a copy of his dissertation is at

    http://www.cs.virginia.edu/~dmk8r/MOAT.ps

At least, this work suggests a syntactic structure to use when analyzing
security poicy issues. But he doesn't say much on appropriate semantics,
which remains the killer issue IMHO.


Rick.
smith () securecomputing com                Secure Computing Corporation
"Internet Cryptography" at http://www.visi.com/crypto/ and bookstores

Current thread:

Re: Security Policy methodologies Rick Smith (Jan 01)
- Re: Security Policy methodologies Ted Doty (Jan 02)
  - Re: Security Policy methodologies Aleph One (Jan 03)
    - Re: Security Policy methodologies Marcus J. Ranum (Jan 03)
    - Re: Security Policy methodologies Ted Doty (Jan 05)
    - Re: Security Policy methodologies Aleph One (Jan 05)
    - Re: Security Policy methodologies Ted Doty (Jan 05)
    - Re: Security Policy methodologies Larry J. Hughes Jr. (Jan 06)
    - Re: Security Policy methodologies Rick Smith (Jan 07)
    - Re: Security Policy methodologies Ted Doty (Jan 07)
- <Possible follow-ups>
- RE: Security Policy methodologies Rick Smith (Jan 01)

(Thread continues...)