Firewall Wizards mailing list archives
Re: [firewall-wizards] Trusted OS...
From: Magosanyi Arpad <mag () bunuel tii matav hu>
Date: Wed, 8 Mar 2000 13:39:59 +0100
A levelezőm azt hiszi, hogy Jean Caron a következőeket írta:
On Mon, 6 Mar 2000, Magosanyi Arpad wrote: <snip, snip>If you consider the NTCB modell of TCSEC, the picture gets to be a little more fine. The main point is that you cannot guarantee the integrity of the application (firewall proxies) if you don't have a TCB under it, and the firewall proxies are integral part of the NTCB (anywhere between 'M' and 'MIA' component). The little problem with this that no firewall (which I know about) have been specifically designed az an M component of an NTCB. The other problem is that no network protocol I know of is designed for transmitting the labels as well (though some of them like smtp and http is able to do that.Ok, I understand TCB, It's precisely what I'm working with now and need to replace. NTCB confuses me a little, this is extending it to the network, is it ? Anyway, you do loose me when you talk about M and MIA components, what would those be ? I don't need to extend this to the network protocol itself. What I need is a solid firewall that can be rated as high as B2 level.
Read NCSC-TG-005. It describes how you can build a network security infrastructure with an overall rating of say B2. You will learn that you need a NTCB (Networked Trusted Computing Base) element which have some of the following functionalities: Mandatory Access Control ('M' component) Identification & Authentication ('A' component) Audit ('A' component) And there is a 'D' component for discretionary access control, which I think does not play much when we are talking about firewall functionality. Jackie Soares have written that you need a "guard", and not a firewall if you are thinking of the TCSEC modell of network security. I rather think that a firewall and a guard is effectively the same thing, but viewed from different perspectives, and with emphasis on different subsets of the problem. What I think we will soon see is something what looks like a firewall, and have labeled security. I have took a look at the TPEP list and the following is what I have found interesting: -Gemini Trusted Network Processor on the GTNP hardware, which is a multiprocessor x86. It's A1 M component. -Cray Unicos running on the CRAY Y-MP architecture. It's B1 MDIA component. -Harris CX/SX with LAN/SX on the Series 4000 Night Hawk, which is also looks like a supercomputer. It's B1 MDIA component. -Dragonfly Guard. It is EAL2 by CC its report basicly says that it is an MDIA. The first one looks most similar to a firewall today by the sparse documentation which is on the web. But it might also be only a multilevel packet switch. The third and fourth are full unixen running on supercomputers. The fourth is a real guard, in a somehow unique infrastructure. I think that you can build a firewall using nearly any of them, the question is the amount of work included. -- GNU GPL: csak tiszta forrásból
Current thread:
- Trusted OS... Jean Caron (Mar 05)
- Re: [firewall-wizards] Trusted OS... Magosanyi Arpad (Mar 06)
- Re: [firewall-wizards] Trusted OS... Jean Caron (Mar 12)
- Re: [firewall-wizards] Trusted OS... Magosanyi Arpad (Mar 12)
- Re: Trusted OS... Bennett Todd (Mar 21)
- Re: [firewall-wizards] Trusted OS... Jean Caron (Mar 12)
- Re: [firewall-wizards] Trusted OS... Magosanyi Arpad (Mar 06)
- <Possible follow-ups>
- Re: Trusted OS... Valerie Anne Bubb (Mar 06)
- Re: Re: Trusted OS... Paul McNabb (Mar 23)
- Re: Re: Trusted OS... Marcus J. Ranum (Mar 28)
- Re: Re: Trusted OS... Ryan Russell (Mar 29)
- Re: Trusted OS... Bennett Todd (Mar 29)
- Re: Re: Trusted OS... Marcus J. Ranum (Mar 28)
- Re: Re: Trusted OS... Marcus J. Ranum (Mar 28)
- Re: Re: Trusted OS... Iván Arce (Mar 29)
- Re: Re: Trusted OS... Patrick Bryan (Mar 29)