Firewalls: Re: B1 Firewall ?

Firewalls
(February 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Re: B1 Firewall ?
From:	Marcus J Ranum <mjr @ tis . com>
Organization:	Trusted Information Systems, Inc. Glenwood, MD
Date:	Tue, 21 Feb 1995 23:03:05 -0500 (EST)
To:	smith @ sctc . com (Rick Smith)
Cc:	mjr @ tis . com, smith @ sctc . com, firewalls @ greatcircle . com
Coredump:	Infocalypse Now!!!
In-reply-to:	<199502201710 . LAA13260 @ shade . sctc . com> from "Rick Smith" at Feb 20, 95 11:10:08 am
Phone:	301-854-6889

Rick Smith writes:
>> If you're connecting a one-way
>> link that data is never going to leak out of, it seems easiest to
>> me to implement the one-way link at a hardware level. [cut fiber,
>> broadcast ether w/write lead cut, etc] 
>
>This works for certain special cases, i.e. if all you want is a one
>way flow. Secure bidirectional flow is useful, too, like if you're
>sharing encrypted messages that get passed across the public Interent.

	Yes, that's true. I'd more or less completely forgotten
that part -- doing that, *WITH* high assurance that the mail is
encrypted, is going to require MLS and all that fancy stuff.

>> 	That's why I was pretty careful in my earlier mail
>> to try to differentiate a B2 "guard" from a typical
>> Internet firewall. By the time you're working at that
>> degree of restriction, it doesn't look much like what you
>> or I would recognize as a "firewall."  
>
>Could you elaborate on your distinction between "guard" and
>"firewall?"  I've tended to think of "guard" as a species of
>"application layer firewall" since it doesn't pass transport layer
>traffic and it can apply access controls based on application layer
>message contents. Is there some other property of a guard that you
>believe makes it _not_ a sort of firewall?

	I try to keep them separate in my mind, since the folks
who are doing MLS guards have very different (generally) objectives
from thefolks doing Internet firewalls. Since TIS, like you, does
stuff in both areas, it's useful at least in my mind to keep the
two separate. There's nothing like doing a table show of Gauntlet
at a conference and having all these folks drooling over HTTP through
the firewall and all that and then having them turn around and ask
you (seriously) if they can use it to hook classified nets to the
Internet.  <cough>
	Really, you're right - a guard is a kind of firewall, where
"firewall" is loosely defined: "a system or set of systems that
implement access controls across a trust boundary." [my current
favorite definition] But when someone asks for a "firewall" between
his classified net and his SBU net he is not talking about the
same kind of critter most of us are when we say "firewall"  :)

mjr.

Follow-Ups:

Re: B1 Firewall ?
From: Frank Wortner <frank @ prodigy . com>

References:

Re: B1 Firewall ?
From: Rick Smith <smith @ sctc . com>

Indexed By Date	Previous:	Re: questions about security & WWW browsers From: Marcus J Ranum <mjr @ tis . com>
Indexed By Date	Next:	Re: Internet Site Patrol From: clm @ interlog . com (clm)
Indexed By Thread	Previous:	Re: B1 Firewall ? From: Rick Smith <smith @ sctc . com>
Indexed By Thread	Next:	Re: B1 Firewall ? From: Frank Wortner <frank @ prodigy . com>