Firewall Wizards mailing list archives
RE: [ISN] New Defence Computer Keeps Hackers Out and Secret (fwd)
From: Jeremy Epstein <jepstein () tis com>
Date: Tue, 27 Oct 1998 23:07:05 -0500
In Vol 1 # 209 there are a few misconceptions about what the Australians are up to. Bret Watson wrote:
I've seen some more info on it... basicall its a firewall appliance running what appears to be some form of application proxy...
No it's not. It *truly* is a diode with one way data transfer. If you don't believe me, read the paper in the Annual Computer Security Applications Conference in 1996 (I think) by Mark Anderson.
Its a pity that the marketing driods have tried to hype it using what I can only describe as "bullshit terms".. such as "digital diode - allows information to flow in one direction only" .. Personally if I was in the defense dept over here I'd be worried reading things like that..
I'm more worried about people here who don't realize they've managed to do something quite nice! Then ark () eltex ru asked:
Hmm and how does classified side make requests? Or it does not? So what protocols can it use?
It doesn't! That's exactly the point. On the high side, you can only communicate with high side systems. If you want to make a low side request, you flip the switch to the low side (so your keyboard & mouse are pointing there) and run software on the low side machine to make your request. Presuming that the *people* aren't deliberately leaking information (*), there's no way for data to leak, since malicious software has no way to send from high to low. (*) If people are doing the leaking, there's much more efficient ways than by retyping data from the high side onto the low side. Paul McNabb wrote:
I've poked around on these sites and it appears that the Australians are finally commercializing the old CMW technology, something that was done years ago here in the U.S. I wonder if they've added anything of value or if they are just repackaging it? I know of at least six products that do exactly what is described by the Australian web pages, and do it on a single machine with properly modified/secured X servers and network stacks.
Paul, it's emphatically not CMW technology. CMW relied on medium assurance (i.e., B1) operating systems and windowing systems to provide a modicum of separation. This has only two small trusted parts: a one-way diode and an A/B switch. It's certainly not repackaging. Everything else is completely untrusted. So you don't need trusted operating systems or windowing systems, both of which are VERY hard to do with any degree of assurance. And as a result, you can get very high assurance. [If the NSA evaluated things like this, I'm reasonably confident it could meet TCSEC A1 without much difficulty. But since it's not an operating system, but rather a nifty device, the NSA doesn't know how to evaluate it. Luckily, there are other criteria besides Orange Book that are more flexible for things like this.] Truth be told, it's most similar to the TRW Trusted X research prototype that I did in the early 1990s. It uses many of the same concepts (Mark Anderson, the inventor of the Australian box, attended a tutorial I gave and came up with a better solution than I had). --Jeremy ---------------------------------+------------------------------------- | Jeremy Epstein | E-mail: jepstein () tis com | | TIS Labs at Network Associates | Voice: +1 (703) 356-4938 | | Northern Virginia Office | Fax: +1 (703) 821-8426 | ---------------------------------+-------------------------------------
Current thread:
- Re: [ISN] New Defence Computer Keeps Hackers Out and Secret (fwd) ark (Oct 23)
- Re: [ISN] New Defence Computer Keeps Hackers Out and Secret (fwd) Rick Murphy (Oct 23)
- <Possible follow-ups>
- Re: [ISN] New Defence Computer Keeps Hackers Out and Secret (fwd) Jeremy Epstein (Oct 23)
- RE: [ISN] New Defence Computer Keeps Hackers Out and Secret (fwd) Jeremy Epstein (Oct 28)