Firewalls: Re: Firewall Rating NCSA != NCSC

Firewalls
(December 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Firewall Rating NCSA != NCSC
From:	"Marcus J. Ranum" <mjr @ mail . clark . net>
Organization:	V-ONE Corp Baltimore office
Date:	Sun, 29 Dec 1996 09:42:14 +0000
To:	firewalls @ GreatCircle . COM
Comments:	Authenticated sender is <mjr @ mail . clark . net . >

Jim Truitt <jtruitt @
 pagesz .
 net> writes:
>Given the choice of hosting the same set of
> firewall apps on rated vs a non-rated platform, I would go with the rated
> platform. In general the OS on the firewall platform should be a "hardened" OS.

Can you explain how the "hardened" OS helps? If the firewall
software is implemented below the OS layer (e.g.: some kind
of adaptive filtering or whatever) then the OS will never even "see"
the traffic at all and whether it's an evaluated OS or not is
completely irrelevant. If the firewall software is purely application
level, then the only thing that the evaluated OS will provide is
some host-based security in the event that there is a catastrophic
failure in one of the proxies. *BUT* if there's a catastrophic
failure in one of the proxies then the attacker's not going to
be going after root anyhow -- they already have compromised
control of a networkable application on the firewall itself so it's
all over but the shouting, sackcloth, and ashes.

Building a firewall on an evaluated UNIX is a nice marketing
tool if you're dealing with people who still believe in orange
book, or who don't really understand practical computer
security. Most of the interesting work in firewalls is below
the OS interface level these days, and at that point you're
dealing with trusted applications, not trusted operating
systems.

That being said, there are some simple techniques for
hardening firewall operating systems that can be very
very effective, which have nothing to do with orange book.
For example, make a single-line kernel change to the
in-kernel code for exec, to prevent any non-privileged
application from execing -- then make sure that all
proxies immediately give up privilege and are self-forking.
Follow that by making all files on the system read/write
only by root. This approach provides, in many cases,
better compartmenting than you'd get with a trusted
OS and it's actually comprehensible and not full of
weird kruft that you've got no use for.

The issue here is security design. Would you rather
assume something is strong because some ancient
government committee legislated "strength" 15 years
ago before WANs were invented, or would you rather
assume something is strong because it operates
based on easily understood principles which flow
directly from its purpose?

mjr. 
-----
Marcus J. Ranum, Chief Scientist, V-ONE Corporation
Work:       http://www.v-one.com
Personal:   http://www.clark.net/pub/mjr
"I'll have time to be laid back when I'm laid out on a slab"

Indexed By Date	Previous:	Re: fw1/address translation From: Paul Ferguson <pferguso @ cisco . com>
Indexed By Date	Next:	Re: EPL (Evaluated Products List) From: "Marcus J. Ranum" <mjr @ mail . clark . net>
Indexed By Thread	Previous:	RE: Firewall Rating NCSA != NCSC From: Gene Lee <genel @ inforamp . net>
Indexed By Thread	Next:	Re: Firewall Rating NCSA != NCSC From: Jim Truitt <jtruitt @ pagesz . net>