> Hi folks,
> I've recently had customers coming up more and more with the "Secured
> operating system" question. That is ... what is the benefit of having a
> specially secured operating system on a machine which no one is going to
> logging in to?
Thats progress. Knowledge is improving to the point where customers are
able to ask more searching questions of a vendor, rather than accepting
that 'firewalls are a real specific product, so lets buy the cheapest'.
> Now, I have my own opinions on this one, but i'd like a more general
> the list (if one exists). I'm not in the business of starting a holy
> i'd kindof like facts only please.
Do you mean that you are only interested in views which agree with your
> Now I have a few conditions i'd like to put on the firewall host in
> 1) It sits between the internet and an internal network and all traffic
> through it.
> 2) Its an application gateway (like fwtk, gauntlet, raptor, etc). There
> packet routing going on.
> 3) There are no login users (except root who's access is controlled by a
> securid card or other secure password scheme).
> 4) The only network ports enabled are pointed at proxy daemons.
> 5) The firewall is physically secure.
So its typical of many existing firewall installations, except 'physically
secure' can mean many different things. Do you mean its in a bank vault
with a time lock, only one person has access, and that person has been so
thoroughly checked that they can be completely trusted? - or do you mean
that the firewall is somewhere in the MIS department and the plywood and
glass door is locked when the area is unattended (with a spare key hanging
on a rack in reception and emergency access is by lifting a ceiling tile
and crawling through the void) by authorised personnel? - or any where
between the two extremes?
> The question is ... Is there any benefit in having an MLS or specially
> operating system on the host or will a standard opsys meeting these
You asked about 'secure' opsys and 'MLS' opsys.
'secure' opsys dont exist. Trusted operating systems come in a wide
variety of shapes and flavours. Some have been independently evaluated and
certified by a government agency against a published criteria, some are
vendor claims to comply with a particular criteria. They are trusted to
the extent of the evaluation system and the criteria, or by how much you
trust a particular vendor claim.
If your risk analysis has identified a number of potential risks, you can
map that onto the evaluation matrix of a particular criteria and that will
show the minimum trust attainment levels you have to achieve in your
If you want a general all purpose comment. The higher the assurance level
the better you are addressing hostile attack. You may also be addressing
need for integrity. If a B1+ system addresses all known attacks, thats the
level to pitch for as a minimum. If someone finds a way through B1+, then
you have to upgrade your system or do what most folk do and just get the
prayer mat out. Of course in the latter situation why bother with any form
of firewall, just buy a bigger prayer mat.
'MLS' may be either of two different approaches.
Multiple Levels of Security can be achieved by separating activities/data
into networks or machines which can only be accessed by authorised people.
That access might be direct or indirect. An 'air-gapped' or 'sneakernet'
system is MLS because there is the hostile untrusted outside world and
there is another level which is the nice friendly perfect internal world
which you know and love. The automated version has some type of barrier
which can allow everything or nothing through automatically, but it still
implies 2 levels of trust.
Multi-Level Secure systems are machines and/or environments where
electronic partitions provide one way valves. It is a feature of systems
at and above TCSEC B1. It is however only one of a range of features,
techniques and technologies which come in at and from B1.
If you are blinkered to total reliance on all security being provided at
the firewall, MLS, in its strict sense when applied to general purpose IT
systems, does not apply much because you should only have 3 direct users.
However those three users can be segregated so that no one person is able
to fiddle the system.
The other thing which a B1/B1+ system allows is a wider range of choice in
design of a barrier and that choice comes from understanding what extra
capabilities are available. There is considerable difference between a B1
system and an A1 system or the B2 and B3 levels between the B and A
divisions, but all could be operated as MLS.
The further implications of Multi-Level Secure systems is that someone
creating a real enterprise-wide security policy can actually implement it
only by employing MLS in either the Multiple or Multi forms. Multi LS has
the virtue of enabling you to provide reasonable levels of assurance and
integrity without seriously reducing security.
> Like I said, I have my own opinions, but i'm going to reserve them for
> i'd welcome the opinion of the list.
Why not share your opinions with the list. Thats not only less selfish,
but its the way we all learn, by seeing alternative or supportive views.