Kevin kml @
> I wonder, though, whether those advantages are significant enough
> to warrant the extra effort required to come up to speed on trusted
> systems. I can understand why people who already have trusted systems
> experience (and products) think that they have a very fine hammer
> for firewall building. I'm not sure though, that it is such a wonderful
> hammer that we all need to throw away our current hammers and replace
> them (at considerable expense).
Don't throw away your other hammers yet. MLS makes sense only for
mission critical systems needing high assurance, and complete auditing,
on which the company depends for protecting its assets.
Oops, sounds like I just described a firewall platform 8^).
> I'd like to hear from people (without previous trusted systems experience)
> who have decided to build firewalls on top of trusted systems...
I hope that you succeed in finding many such people; however, you'll
also get some comments from people with experience with trusted
systems. Hopefully, experience has made us wiser. Your analogy to
a hammer points out truthfully that a lot of people with a product
keep looking for a solution. But just because they finally say "HEY
MLS makes sense for FIREWALLS" doesn't mean that they're wrong--just
that they're glad to see a good commercial application for what has
been a lot of grueling work.
> In an earlier message, Les Carleton <les @
> >I've recently had customers coming up more and more with the "Secured
> >operating system" question. That is ... what is the benefit of having a
> >specially secured operating system on a machine which no one is going to be
> >logging in to?
> I'd like to expand the question a little bit. We've seen months of
> discussion of the virtues of MLS (and TE) systems on the list. Obviously
> there are plenty of people who believe that there are advantages to
> using trusted systems to build firewalls.
... because of the obvious benefits of multiple layers of protection.
Seriously, there is no black and white, right or wrong answer here.
The correct answer is "It all depends." How important are the assets
that you wish to protect, how much risk are those assests exposed to
with various plans. But in the case of firewalls connecting systems to
the internet, it doesn't take a very large company to justify the
protection of a firewall.
The cost difference b/n MLS firewalls such as the Harris Cyberguard and
firewalls on "hardened hosts" (loose vendor definition applies here)
is not that much. For a medium to large sized company, the amount of
risk that you are amelierating would probably justify expenses far in
excess of the most expensive firewall on the market.
How much more "firewall" do you get with a CyberGuard? A lot. You
just can't do the same level of intrusion detection w/o auditing that
occurs independently of the programs running on the system.
> DISCLAIMER: It seems only fair to mention that I used to work for a
> CMW vendor (although I won't make any claims to being a trusted systems
> guru). The company was full of bright people, and made a solid
> product. I just never really managed to convince myself that using
> trusted systems was worth the trouble. Then again, I've been wrong
There are probably a lot of internal systems out there that don't need
the extra protection of a CMW. How do you feel about the systems that
form your perimeter defense?
DISCLAIMER: I have a vested interest in MLS operating systems. That
means that my opinions may be biased, but not necessary incorrect :)
Secure Systems Engineering
AT&T Bell Labs
PS: I've been trying to avoid the urge to post on this one sense I'm
sure that most of you already know where I stand on this issue. I'm
*VERY* pleased to see more awareness about the benefits of trusted OS's
on the list.