"K.M. Goertzel" <goertzek @
wangfed .
com> writes:
>It would seem that one of the considerations when selecting between
>products that meet requirement #3 above, that one way of "assuring"
>that the underlying operating system is as secure as the vendor claims
>it is would be to have an *independent* evaluation of the security of
>that operating system, instead of simply relying on the vendor's word
>that their method of "hardening" the OS - either using chroot or type
>enforcement - actually results in a "hacker-resitant" operating
>system.
I'm not sure I agree. Independent design review of a product is
always a good idea, but an independent evaluation of the operating
system on which the firewall runs can be (in some cases) completely
useless. It depends a *LOT* on how the firewall's designers built the
firewall. In cases where the O/S is exposed to outside attack, then
the hardening of the O/S and its evaluation might make a big
difference. In cases where the O/S is unexposed, I don't see how it
matters as much as the implementation of the part that protects the
O/S from exposure!
Let's imagine a firewall where it does some kind of screening in a
routine that sits between the network interface drivers and the
network protocol stacks. In other words, it's below IP, ARP, etc.
If I then configure the firewall so that no IP or upper-level traffic
will reach the firewall's address, then who CARES about the
configuration of the O/S?? What you'd want to test carefully is the
implementation of my screening layer, and you'd want to make sure
there were no back-channels that would let a packet leap from the
driver to the protocol stack without permission. Note that an Orange
Book-style evaluation wouldn't help this particular firewall at all
because the O/S is completely unreachable to the attacker, *AND* the
add-in filtering layer isn't part of the evaluated O/S and wouldn't
be looked at.
>It would seem to me that a firewall that runs on an NSA evaluated
>operating system would at least provide that kind of independent "seal
>of approval".
It seems to me that a firewall that runs on an NSA evaluated
operating system would have something for the marketing guys to
squeal about but wouldn't be substantially better than any
other firewall unless the firewall's implementation components
(proxies or filters or whatever) were also evaluated components of
the TCB. Heh. That'd be fun to see. Of course, you'd never get that
past the specs -- it'd have to be a generic upgrader/downgrader and
all kinds of nonsense.
> Of course, SCC have had a lot of experience building
>operating systems that are
Lots of people have experience with Orange Book stuff, but that
doesn't make the Orange Book stuff useable. :) That being said, the
folks at SCC have a lot of experience with computer security and
secure software design and that *IS* useful. One thing that makes me
kind of unhappy about the "firewall industry" these days is the large
number of Johnny-come-latelies who really don't know anything about
security but smell money and are bashing products together and
tossing them over the fence.
Frank Willoughby writes:
> FWIW, Marcus Ranum wrote a good article about "firewall certifications".
> Last time I checked, it could be found on V-ONE's home page.
It may have moved because it's not really an official position of the
company's, and reflects my highly unofficial and biassed opinion. :)
I definitely know it's on
http://www.clark.net/pub/mjr/pubs
along with my other various rantings.
mjr.
|
|
