> The classic solution to this problem is requiring two people to each
> perform the same actions before it takes effect.
> That is why 2 keys are necessary in an ICBM silo.
> Of course, (human) management methods are necessary to prevent collusion.
>
> For an Internet firewall application, two firewall are necessary in series.
> Whatever one person lets through his firewall can only get as far as the next
> firewall unless it has been done there also. The more trustworthy person shou
ld
> be responsible for the internal firewall and monitoring (unsuccessful) attemp
ts
> that could only reach that layer if the outside firewall had unauthorized
> capabilities enabled.
I thought about this too but it appears to me that the inner firewall
person could still compromise security. The two firewill admins have to
understand how each others stuff works. (or they can at least infer based
on given data). So the inner firewall person could replace valid secure
services with trojan versions. Classic easy example - EXT-firewall permits
SMTP traffic - admin of INT-firewall replaces sendmail with something that
spawns a shell. You need to find a system where NO one person/administrator
can compromise it. Looks to me to require a lot of thought.
Brad Passwaters bjp @
nsm .
bell-atl .
com
Network Software Management (BAINET) bf5t0p6 @
bell-atl .
com (OSIN)
Voice:301-236-6221 FAX:301-236-1061
-------------------------------------------------------------------------------
"...and he never wondered what was right or wrong, he just knew, he just knew"
David Crosby and Phil Collins "HERO"
References:
|
|
