dcheline @
genuity .
net (Douglas Cheline) asks:
: Ok, Here's the $64,000 dollar question: Which is the most secure
: Firewall?
: I am in the process of choosing a firewall vendor and I'd like to know
: what "the word on the street" is in terms of the "BEST" security. I've
: seen some independent tests done (NCSA's assessment and RSA
: interoperability test) but none come out and say: "Product X is the
: best in terms of security because......" So, if you've done some tests,
: or have read information that may define a clear leader, you could
: really help me out.
"Best" security is a really slippery topic.
One way of looking at the problem is in terms of handling direct
attacks on the firewall itself. In other words, how can the firewall
handle attempts to directly attack it and subvert its software? If you
can do this, you can punch right through a firewall based on a
conventional OS.
People are constantly reporting vulnerabilities and ways to subvert
standard Internet server software. If you are going to protect a site
from such attacks, the firewall or server needs an extra measure of
protection to constrain vulnerable software. This is generally some
sort of "mandatory protection," that is, a protection mechanism that
can't be disabled by the subverted software even if it manages to
become "root" or some other privileged user.
We use type enforcement to provide such protection in our Sidewinder
firewall. Cyberguard (which used to belong to Harris) is supposed to
use the MLS protections of one of Harris' B level TCBs. Some Unix
vendors have modified "chroot" to provide a reasonably effective form
of mandatory protection. Various comments by Marcus Ranum have led me
to suspect that the TIS Gauntlet and Vone SmartWall probably have
incorporated the appropriate "chroot" changes, but you'd best check
with the vendors specifically. Despite Secure Computing's merger with
BorderWare, I haven't had the opportunity yet to review their firewall
implementation to assess its condition regarding mandatory protection.
I don't remember seeing any specific claims on their part regarding
how they protect against direct attacks.
As far as I can tell there is *no* facility for mandatory protection
in Windows NT. NSA and Microsoft have allegedly arranged with some
developer to try to do this, but it is currently vaporware.
The "chroot" on generic Unix systems is rarely strong enough by itself
to give the isolation needed by network server software in a
firewalled environment. Check the "Firewalls" archives from last
winter -- there was a discussion of "chroot" protection. Basically, it
needs to be tightened up for firewall applications.
Rick.
smith @
sctc .
com secure computing corporation
|
|
