Stephen .
L .
Arnold @
Arnold .
Com wrote:
>
> The position description will be oriented to a large company with a
> highly developed IS infrastructure and very high security needs. Among
> the requirements is "separation of duties"--that is, it should be
> impossible for a single individual, including a firewall manager, to
> subvert the purpose of the firewall.
What you call "separation of duties" is frequently referred to as "least
privilege" by many security circles, but with a rather different twist. I
believe that partitioning the privileges of the firewall administrator such
that each person is only able to perform some limited security relevant tasks
(eg. user account maintenance) is a reasonable think to ask for. However, at
some point to have to trust your administrators not to subvert your
security policies. Your customer seems to want the firewall machine(s) to avoid
trusting any individual which is probably not doable. For instance, if someone
can load new software (eg. upgrades) on the system, they could replace the
authentication and/or authorization mechanisms and assume full control.
Some government systems desire a similar security policy for their top secret
systems. One *limited* approach is to employ a "2 designated man rule." This
policy could just mean that 2 independent, authorized individuals approve
each security relevant action. This is frequently not practical, but could
be interpreted as requiring 2 authorized individuals authenticate before the
administrator shell is invoked, and that both need to be present for all
actions until the shell is exited. You could require a second dual
authentication to occur to exit the shell. Also all actions are feverishly
auditing for later accountability. Now both authenticated administrators
are accountable for every action which occurred. An independent system
auditor could be responsible for monitoring the logs.
With that said, I think you should consider trying to solve this problem with
administrative, physical, and personnel security. Good background
investigations (in some cases), badges, walls, doors, guns and dogs :-) are
quite effective means of security which *sometimes* can be replaced with
technology, but not always. Maybe these along with a requirement of both
being physically present at the console would suffice.
The InterLock has plans to provide some mechanisms to promote least privilege
of administrative functions in the upcoming release. However, in most models
some administrator is responsible for assigning each of these privileges, so
this individual could still decide to assign himself (or herself) all
possible privileges (thus breaking your model.) Of course, many firewalls
can have their privilege definitions circumvented by a savy person with
physical access to the machine and a set of modified boot floppies :-(.
Paul
____________________________________________________________________________
Paul Sangster
Advanced Network & Services Software Engineer
1875 Campus Commons Dr. sangster @
reston .
ans .
net
Suite 220, Reston VA 22091 (703) 758-7706
____________________________________________________________________________
|
|
