On Tue, 18 Mar 1997, Jon Spencer wrote:
> Here are my assumptions. They don't need to be anyone else's and this list
> certainly doesn't need any more religious wars! :-) Theyt are:
> 1) you can't bolt security onto an insecure base - the base is always then
> subject to attack.
What exactly do you mean by "the base" here? I can recall fairly few
instances where security on a unix system has been compromised due to
kernel bugs, per se. (Actually, I can think of none, but that's just me.
Ping of death, syn attacks, sure you can DoS a unix kernel, but not
compromise the machine.) +99% of all penetrations come through user-level
programs running as root. Fix those, and, to my mind, most modern unices
(or NT for that matter) probably count as "secure", which means, as all of
us know, "secure enough".
(I'll resist the temptation to say "for government work.")
> 3) The basic functions of an operating system, including the functions upon
> which firewall functionality is based, must be very high assurance,
Arguable, I think, but I'll grant that.
What do you mean by this? Does BSD's securelevel count?
> shown to always be invoked,
Aside from the split infinitive, doesn't this fall under "assurance"?
Don't most operating systems offer features which are always invokable?
> and verifiable.
Why is verifiability important? I don't buy the argument that
verifiability is the most important aspect to a firewall. Competent
administrators will buy you ten times as much security as 400 pages of
lambda calculus, gilt certificates from the NCSA, and a note from your
> Building a
> firewall on top of standard Unix or NT or Linux or whatever lacks this
Which assurances? The only one which I see it lacking is the last one,
> A firewall is a
> very complex thing, ESPECIALLY if you want it to really work.
So, if a firewall is to work, it has to be complex?
> high assurance implementation requires strict modularity (as ours has), so
> that (1) complexity is greatly reduced,
Since "high assurance" firewalls should have a minimum of complexity,
they don't work?
> Look for a very famous US gov't security agency to be going online with
> exactly this configuration this spring or early summer (using guess
> who's OS? :-)
I seem to recall the famous US gov't doing many things. The wrenches in
my garage didn't cost $4,000, and they aren't made of titanium. They're
steel, and I bought them at a hardware store. You know what? My skill as
a mechanic and a 19-year-old airman's skill as a mechanic are still the
single most important factors in how well our machines run.
As with cars or planes, so with firewalls. Sure, I'd like to have a
$4,000 titanium wrench, but I really don't need it. What I do need is
more knowledge about how my car works. This is a similar situation to
most firewall sites. They don't need C2 certification (because they'll
never use the C2 features anyway), they don't need verifiable top-to-
bottom, rigorously provable operating systems.
They need to read the RFCs and understand how the protocols work. They
need to understand the difference between TCP and UDP, which more than one
NT administrator I've met has not. They need to be able to visualize the
traffic flow through their network, and to be able to do so in a fairly
sitz im leben manner. They need to be able to take simple firewall tools
(FWTK or Gauntlet, etc.) and, from them, craft a solution which implements
their corporately- (or whatever-)determined security policy.
I doubt that a mainstream firewall, call it Gauntlet or even the FWTK, if
properly configured by a competent administrator, could be broken. I'm
willing to set one up if someone else wants to try. This entire debate,
however, is becoming moot as, increasingly, it's much easier to lure
protected machines into downloading an ActiveX-based packet sniffer which
mails the results of its sniffing back through the firewall.
I really think that a lot of people are wasting a lot of money if they put
a B2 machine (or whatever) as their internet firewall. Turning off port
80 will buy you a whole lot more security, and it's a lot cheaper.
Todd Graham Lewis MindSpring Enterprises tlewis @