Firewall Wizards mailing list archives

Re: Covert Channels (was dns outbound)

From: Andrew Brown <atatat () atatdot net>
Date: Tue, 18 May 1999 21:50:58 -0400

You're almost saying that a firewall needs to have design properties
from those A1 Orange book systems (which we all love to hate) by
being careful to eliminate leakage of information.


Hmm... I don't know the standards that well.  I can't imagine they
do that effective a job of eliminating this threat.  I wish I had
one I could try to fool.


   ftp://ftp.leo.org/pub/comp/doc/security/orange-book/obook

(which is not an "official" site, but it serves my purpose :)

and also

  http://pandonia.canberra.edu.au/ClientServer/week3/security.sgml-005.html

which comments on unix.  higher grades of security cannot easily be
retrofitted onto a unix system.

defeating covert channels is a requirement of a system that's rated
"b2".  the other "points" are:

  http://pandonia.canberra.edu.au/ClientServer/week3/security.sgml-005.html

B2
            formal security policy model
            device labels
            DAC and MAC (Message Authentication Code) (fancy checksums)
            covert channel control
            more extensive testing

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior () daemon org             * "ah!  i see you have the internet
twofsonet () graffiti com (Andrew Brown)                that goes *ping*!"
andrew () crossbar com       * "information is power -- share the wealth."

Current thread:

Re: Covert Channels (was dns outbound) Ryan Russell (May 18)
- Re: Covert Channels (was dns outbound) Andrew Brown (May 19)
- Re: Covert Channels (was dns outbound) Stephen P. Berry (May 21)
- <Possible follow-ups>
- Re: Covert Channels (was dns outbound) Epstein, Jeremy (May 21)
  - Re: Covert Channels (was dns outbound) Andrew Brown (May 21)