Re: The Mathematics of Relative Security

[John Adams <jna+dated+1096224847.fdd513 () retina net>]

On Mon, 20 Sep 2004, Chris Pugrud wrote:

> Set theory and discrete mathematics give us a good foundation to evaluate the
> risk exposure between groups, but those tools only work with absolutes.  A
> point is either a member of a set, or it isn't.  If two networks are airgapped,
> they are logically and provably separate.  If two groups are joined with a
> "firewall" policy of "permit ip any any" they are logically and obviously
> joined, with the grouping inheriting the policy and exposure of the weakest
> member(s).  There is nothing to take into account one-way transactions, as TCP
> permits, other than to wave a wand over distinctive sets.  If two sets can
> initiate communication into the intersection, but the intersection can not
> initiate communication out, then the sets can, observably, be show to be
> disjoint, outside of the intersection.

> All of this noticably falls apart in the real world, where we have to allow
> selected ports to cross boundaries with minimal controls.

I also believe that attempting to indicate risk exposure through set
theory falls apart in the real world as well. Trust relationships based on
port numbers and direction mean nothing when you're running unpatched
software that permits anyone to violate that trust. An unpatched server 
running on port 80 is no safter than the same code running on port 22. 

Perhaps your method is a good way of visualizing an existing
configuration, but not an effective way to determine policy.

-j

-- 
J. Adams                                        http://www.retina.net/~jna


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards