Re: TCSEC and firewalls

[Rick Smith <rick_smith () securecomputing com>]

At 10:07 AM 6/28/99 +0200, Magosanyi Arpad wrote:
> Hi!
>
> I have just read the TCSEC interpretation for a networked environment.
> (The document called NCSC-TG-005)

And here I am again, beating a dead horse after the barn door was left
open. But it's hard for me to pass up an opportunity to talk about TCSEC
and firewalls.

First of all, realize that the TNI (TCSEC Trusted Network Interpretation)
was written very early in the evolution of today's network architecture.
They tried to accommodate multiuser timeshared access to network resources
at the same time as desktop workstations. They didn't really have the
notion of firewalls and perimeter security. Furthermore, they were
constrained to follow the straitjacket of the TCSEC, which led to some
really weird and useless results.

So, this whole discussion isn't much different than the Ptolemaic attempt
to reconcile the motion of the planets with a geocentric world view. But I
enjoy such intellectual challenges, pointless though they may be.

If you are trying to do something practical regarding security, I recommend
you burn your copy of TNI and look at something more recent, like Cheswick
and Bellovin (which is getting quite aged, but is still a terrific work on
network security architecture).

If you are considering NCSC evaluation of a product, let me suggest there
are much better ways to achieve whatever goal made you think of such a
silly thing. NCSC evaluation is never an end in itself, it's pursued to
achieve some real goal, and there are no practical goals that are achieved
by an NCSC evaluation. Not even DoD seems to care about evaluations any more.

> -What is the DAC functionality regarding a firewall? Is the ability of
> the firewall administrator to define the access list for a communication
> channel is the DAC functionality? Or is it completely outside the
> scope of network perimeter defense?

True DAC involves an individual user's ability to control access to their
own objects by other users. This isn't something that firewalls generally
get involved with. On the other hand, DAC does have implications regarding
administrator roles on a firewall.

> -Is it sensible for a data to have different labels in different points
> of the transmission path depending on the properties of the transmission
medium?

Labels are intended to enforce separation between chunks of information
that should only be accessed by different groups of users. They have
nothing to do with network infrastructure.

Hierarchical labels are basically useless in commmercial applications,
though you might be able to put data at a lower classification level and
use the access control to protect it from modification.

> -How would you define the MAC labels' non-hierarchical categories part
> in a corporate environment? Should they refer to the organizational units?
> Should they refer to some aspects of the IT infrastructure (and then how they
> glued into a comprehensive representation in the level of the corporate
NTCB)?

You could use it to refer to organizational units insofar as the different
units have information that must be kept separate and not shared.

If you have a computer that correctly implements non-hierarchical
categories, and applies them to the network protocol stack, you can use
them profitably to build a strong server that isolates the Internet
interface from the internal interface. This gives you a separate layer of
protection in case an attacker penetrates the server software. But this
strategy is expensive and few people use it.

> -There are only vague references to cryptography in the document. How should
> I express (in the terms of TCSEC) the need that the protection of the 
> transmitted data should be proportional to its sensitivity label in the
> whole transmission path either by cryptography or phisical security?

The TNI was written under the banner of NSA during the ascendency of
spooks, and it was considered sensitive information for NSA to talk about
crypto. This is another reason why the document is largely worthless.

In fact, most of the network security architecture that came out of NSA at
the time relied solely on cryptography to implement NTCB controls on the
network.

Rick.
smith () securecomputing com