To: "firewalls @
Subject: OS for firewalls
Date: 07 August 1994 09:08
Not really, just limited bandwidth posted.
#Don't take it personally. Not sure how you interpret debate, but I take the
dictionary definition that it is communication between two or more people,
with or without a vote. A few folk took time to communicate.#
But "security by obscurity cannot be counted on - it only works when people
do not try very hard to break it. Besides we have no real choice about
#No form of security can be counted on absolutely. The use of the word
'security' often does not help us because too many people seem to assume
that it can be total. 'Risk' and 'threat' may be more meaningful, then we
can talk about *reducing risk* to *acceptable levels*. However, obscurity
has been a fundamental factor in intelligence/counter intelligence for as
long as man has worried about such things. It works for a period and that
may sometimes be a very short period. However you tackle risk reduction it
is a dynamic process and the risk policy has to be reviewed and re-tested
and modified to maintain any chosen level of risk reduction.#
Really have trouble with this generalization.
#UNIX is a generalization with many flavours based on AT&T code and some
products which claim to conform to SVID but claim not to use AT&T code. Fact
is people did not start buying UNIX because it was the finest OS ever
designed by man. They bought it because a few governments mandated it and a
number of companies put a lot of money and effort into promoting it on the
basis that it would dramatically reduce costs and free buyers from the
control of individual computer companies. DOS got going because customers
believed that it would slash costs and did not demand a multiple PhD in OS.
The other thing which helped DOS was that most users don't know what an OS
is and really don't care. That is becoming true of modern UNIX users,
although most of the old fossils like us seem to get very excited about the
fine detail of the OS and other exciting things.#
Being a single tasking machine, whatever application is running,
controls the machine so this is not a problem. The same thing *could*
be done with a Unix box but why waste it ?
# Thats true. It may be that most Firewalls run with UNIX because people
just want to have a single flavour of technology to worry about. I did make
the point that a dedicated product is likely to be much better doing its
designed job than any multi-role product and that applies to Firewall as
much as any other area. However, down the years I have seen a whole raft of
military projects where people felt that they could not go down-market and
buy something that already existed and a few million people used
successfully because their requirements were so
'special/superior/demanding/unique'. They spent a fortune re-inventing
wheels and came up with highly specialized equipment which presented major
training and support problems and by the time they had finished development
the world had moved on a few decades or light years.#
Huh ? Far as I know DOS (MS-DOS or PC-DOS) works only on an Intel platform
and with a BIOS compatable with the IBM specification of 27 November 1982
(what "100% compatable reeally means"). In fact, a Pentium starts up in
"real" mode which exactly emulates the 1979 Intel 8086, 1 Mb memory
limit and all.
#As far as I know (but there may be some folk out there who know different)
all road vehicles use wheels, even if some of them run inside their own
tracks, but Mr. Ford, or any other vehicle manufacturer, would probably get
very upset if we insisted that all motor vehicles were the same and were
Daimlers with Dunlop tyres.
'Compatibility' has always meant different things to different folk, even to
the point where people will argue the merits of formal methods against
structured methods against natural language in expressing 'standards' and
requirements. The PC world has tended to claim that compatibility exists if
there is a reasonable chance that something might work with something else.
To me '100% compatible' means no need for debate and I look forward to the
time when that becomes possible but I probably will not be around to see it.
Even one manufacturer can have problems achieving compatibility within his
own product range.
There are a few folk out there who make PC "chips" and a few folk who make
"X-DOS" OS. There are a lot more who assemble the technology onto mother
boards of their own design. Some of them make frequent detailed changes
without adequately informing their customers, or even adequately documenting
for internal use, and that can make life very difficult for anyone trying to
build applications which have to be replicated. If you plan to build a
unique product and will only ever use it on one specific item of equipment
that will probably not cause you too many problems, although it may present
some problems for others when you die or the machine cannot be maintained
Has nothing to do with it. Both Orange book and Common Criteria are for
multi-tasking, multi-user machines, for a firewall application IMHO what
is needed is a dedicated embedded controller.
#Can't agree. All criteria developed to date are aimed at providing an
environment where security claims can be tested against the criteria. The
European ITSEC was aimed at taking the 'military/intelligence mystique' out
of IT security (although there may be a few views about how well it
succeeded) so that any user could address this important issue. It also
provided the means to evaluate generic products and to report functionality
as well as assurance. The international CC is starting out as an ITSEC-like
criteria but may have a very long way to go before it is completed and
people can start using it and it may change in the process.
People have already had dedicated embedded products evaluated under various
security criteria. System accreditation has been carried out on systems
which include such products.
What most people need is not a specific flavour of OS, or any other piece of
technology, so much as a clear idea of what they are trying to achieve in
risk reduction. That means that they have to have a methodology to support
risk analysis and produce a risk policy which matches and supports the
enterprise policy. Having done all that, they need to evaluate solutions and
measure how well they meet requirements. If you have a great deal of time
and money you may not need any external security criteria and just go out
and test everything using your own methods. Unfortunately, most people are
not that lucky, or they just want to plug the holes today before they get
hit. Having somebody else build a system for specifying, testing and
certifying (independently from a vendor who may just have a vested interest
in selling you something) can save a lot of grief.
You may be right in saying that a dedicated embedded controller is the
answer to the maiden's prayer, although there may be many who take a
different view for whatever reason - good or bad. My own view is that it
should come down to the risk policy which should balance all the factors as
they specifically apply to the particular enterprise and that includes
performance, cost, ease of use, fitness for purpose, availability.#
Wonderful. They address covert channels. With an properly designed single
state machine you have no covert channels.
# I notice that people often refer to particular IT security criteria
without understanding what they mean. I would not wish to contribute to the
confusion by discusing a small number of areas from a particular Division of
just one criteria. Those who want to inform themselves can obtain copies of
the TCSEC, FC-FIPS, ITSEC and (when it gets that far) the CC. Study of the
"Orange Book" evaluation matrix will confirm that 'covert channels' is
indeed one of a number of areas addressed in the higher Divisions, although
some will argue that a Multi-Level Secure system will always have one covert
channel which is the human operating the system.#
Started serious work with SEL 800 in 1967.
#Always nice to know that there are other ancient mariners out there who are
still able drag their aging bones to the keyboard - *BUT* experience is not
everything. Some of our younger colleagues succeed because they don't yet
know that they can fail and, while poor old folk spend more time looking
back, they can only look forward.#
The choice of the Intel/PC platform is based on the fact that it is cheap
"good enough" for the job and because by using it as an embedded controller
it can be (note the operative) made immune to outside influences. Do not
intend to use DOS (or any OS for that matter) except as an easy way to
boot the machine (might not even need it for that - have written
programs for the PC before (just for the record, Microsoft's Flight
was a "self booting program", there was no OS involved - was more common in
the early '80s than now).
# No reason why it should not work for you. You may also choose to make a
product to sell to others and support it. Like all systems, someone will
find a way of breaking it eventually. I am not sure that it is necessarily
the best way for most people. Over the years I am sure that we have both
seen many brilliant solutions built by very clever people and achieving
terrific performance at much less cost than anything else on the market, but
they usually fall apart because they need skills which most people don't
want to spend time learning.
Like you, I am old enough to have experience of technology before DOS and
UNIX, but many of the 'Firewalls' folk may not know any other world than
UNIX *OR* DOS. Clearly, some of them have very fixed ideas about the merits
of a particular OS and no interest in working with anything else. In many
cases that may work very well for them.#
Relaxed but watchful.