Firewall Wizards mailing list archives
Re: TCSEC and firewalls
From: Rick Smith <rick_smith () securecomputing com>
Date: Tue, 06 Jul 1999 16:13:00 -0500
At 10:07 AM 6/28/99 +0200, Magosanyi Arpad wrote:
Hi! I have just read the TCSEC interpretation for a networked environment. (The document called NCSC-TG-005)
And here I am again, beating a dead horse after the barn door was left open. But it's hard for me to pass up an opportunity to talk about TCSEC and firewalls. First of all, realize that the TNI (TCSEC Trusted Network Interpretation) was written very early in the evolution of today's network architecture. They tried to accommodate multiuser timeshared access to network resources at the same time as desktop workstations. They didn't really have the notion of firewalls and perimeter security. Furthermore, they were constrained to follow the straitjacket of the TCSEC, which led to some really weird and useless results. So, this whole discussion isn't much different than the Ptolemaic attempt to reconcile the motion of the planets with a geocentric world view. But I enjoy such intellectual challenges, pointless though they may be. If you are trying to do something practical regarding security, I recommend you burn your copy of TNI and look at something more recent, like Cheswick and Bellovin (which is getting quite aged, but is still a terrific work on network security architecture). If you are considering NCSC evaluation of a product, let me suggest there are much better ways to achieve whatever goal made you think of such a silly thing. NCSC evaluation is never an end in itself, it's pursued to achieve some real goal, and there are no practical goals that are achieved by an NCSC evaluation. Not even DoD seems to care about evaluations any more.
-What is the DAC functionality regarding a firewall? Is the ability of the firewall administrator to define the access list for a communication channel is the DAC functionality? Or is it completely outside the scope of network perimeter defense?
True DAC involves an individual user's ability to control access to their own objects by other users. This isn't something that firewalls generally get involved with. On the other hand, DAC does have implications regarding administrator roles on a firewall.
-Is it sensible for a data to have different labels in different points of the transmission path depending on the properties of the transmission
medium? Labels are intended to enforce separation between chunks of information that should only be accessed by different groups of users. They have nothing to do with network infrastructure. Hierarchical labels are basically useless in commmercial applications, though you might be able to put data at a lower classification level and use the access control to protect it from modification.
-How would you define the MAC labels' non-hierarchical categories part in a corporate environment? Should they refer to the organizational units? Should they refer to some aspects of the IT infrastructure (and then how they glued into a comprehensive representation in the level of the corporate
NTCB)? You could use it to refer to organizational units insofar as the different units have information that must be kept separate and not shared. If you have a computer that correctly implements non-hierarchical categories, and applies them to the network protocol stack, you can use them profitably to build a strong server that isolates the Internet interface from the internal interface. This gives you a separate layer of protection in case an attacker penetrates the server software. But this strategy is expensive and few people use it.
-There are only vague references to cryptography in the document. How should I express (in the terms of TCSEC) the need that the protection of the transmitted data should be proportional to its sensitivity label in the whole transmission path either by cryptography or phisical security?
The TNI was written under the banner of NSA during the ascendency of spooks, and it was considered sensitive information for NSA to talk about crypto. This is another reason why the document is largely worthless. In fact, most of the network security architecture that came out of NSA at the time relied solely on cryptography to implement NTCB controls on the network. Rick. smith () securecomputing com
Current thread:
- Re: TCSEC and firewalls Rick Smith (Jul 07)