In message <Pine .
LNX .
3 .
94 .
960903170055 .
9771G-100000 @
cet .
cet .
com> Robert Hanson
writes:
> what is intended for "strong" protection then? tia...
It depends on which religion you subscribe to. If it's the NCSC religion,
"strong" protection (which they call "high assurance") doesn't kick in until
you're running on at least a B2-evaluated system (B3 and A1 will also do the
trick).
The notion behind "high assurance" is that covert channel analysis has been
performed to ensure that mechanisms used by the operating system itself to
exchange data between its own processes/objects cannot be subverted to bypass
system security policy and exchange meaningful human-readable information (or,
ostensibly, trojan horse code). The practical notion behind it is that a high
assurance system will not only be difficult to hack from the outside, it will be
difficult to compromise by expert users on the inside. It will also make
auditing of security administrator logins and logouts impossible to circumvent,
even by the security administrator, so there is always *some* kind of audit
trail even of the "superuser".
"Medium assurance" (B1) and "High Assurance" (B2-A1) systems also provide two
access policies - discretionary, which is also provided on C-level systems, and
mandatory, which is unique to B and A level systems. Used intelligently, a
mandatory policy can help further protect firewall executable images and
configuration files from hacker attack, and can also isolate the firewall from
the underlying operating system in a way that is harder to circumvent than using
discretionary access controls alone.
Anyone who's really interested in this stuff can take a look at the the NCSC's
Orange and Yellow Books.
Those of the ITSEC persuasion will discover that their Protestantism isn't all
that different from NCSC's Catholicism when it comes to defining "high
assurance". The difference is that the ITSEC separates features from assurance
when it rates a system, so that one could ostensibly have a system with all
sorts of security features that are found in high assurance systems, with no
corresponding level of assurance that the features work as designed and
documented. I guess this is because (allegedly) in the commercial world (and,
frighteningly, in much of the government) people don't care about independent
certification of a vendor's security claims. For example, why would anyone in
his right mind trust a vendor's word on whether the "hardened" UNIX on which its
firewall runs actually has all the security "holes" removed. Or whether an
unevaluated system truly has the assurance the vendor claims it does? Oh well.
There are a lot of folks who want to do away with the FDA, too, and leave it up
to the individual drug companies to assure us their products are safe. I don't
know if I'm too cynical, but I kind of like knowing that the organisation
certifying the safeness of a drug - or the assurance of an operating system -
isn't the same organisation that has a vested interest in selling that drug or
organisation.
REALITY CHECK: Nothing the underlying operating system does can guarantee the
correctness of the firewall application code. However, the operating system
*can* be used to isolate that code in a way that will ensure that if the
firewall code contains some (intentionally or unintentionally) malicious code,
that malicious code cannot attack the operating system.
=====
K.M. GOERTZEL
Manager, Business Development
Secure Systems and Services Operation
WANG FEDERAL, Inc.
7900 Westpark Drive - MS 700
McLean, VA 22102-4299 USA
+1-703-827 3914
+1-703-827 3161 (fax)
goertzek @
wangfed .
com
http://www.wangfed.com/products/ssso/homepage.html
***
"The true artist has no pride, for he realizes art's demands are
limitless, and though he may be admired or praised by others, he
sees only darkly how far he is from his goal, when a greater
inspiration shall shine before him like a distant sun."
-- Ludwig van Beethoven
|
|
