:From dorian Thu Apr 28 11:35:18 1994
> highly developed IS infrastructure and very high security needs. Among
> the requirements is "separation of duties"--that is, it should be
> impossible for a single individual, including a firewall manager, to
> subvert the purpose of the firewall. Also, my client requires
> "Steve" Stephen L. Arnold, Ph.D., Principal, Arnold Consulting
:But seriously, is that really possible? Without thinking too deeply
:about it, my initial reaction is that it's a bit like trying to
:play yourself in chess: it's fairly difficult to outsmart yourself.
I think my colleague has been working within resource limits too long :-)
The classic solution to this problem is requiring two people to each
perform the same actions before it takes effect.
That is why 2 keys are necessary in an ICBM silo.
Of course, (human) management methods are necessary to prevent collusion.
For an Internet firewall application, two firewall are necessary in series.
Whatever one person lets through his firewall can only get as far as the next
firewall unless it has been done there also. The more trustworthy person should
be responsible for the internal firewall and monitoring (unsuccessful) attempts
that could only reach that layer if the outside firewall had unauthorized
I do not endorse this lack of trust of the firewall manager, since so many
other actions (how hard is it to set up a modem, or copy a floppy) could
undermine the security perimeter. Remember, if it is sufficiently inconvenient
just about anybody will subvert the security you put in place.
(Brent says this 20 times a day, so I did it for him this time :-)