Great Circle Associates Firewalls
(April 1995) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: Firewall failure modes (was Re: performance)
From: "Marcus J. Ranum" <mjr @ tis . com>
Organization: Trusted Information Systems, Inc. Glenwood, MD
Date: Wed, 26 Apr 1995 02:16:31 -0400 (EDT)
To: isdmill @ gatekeeper . ddp . state . me . us (David Miller)
Cc: peter @ nmti . com, fc @ all . net, mjr @ tis . com, firewalls @ GreatCircle . COM
Coredump: Infocalypse Now!!!
In-reply-to: <Pine . 3 . 89 . 9504251010 . B4230-0100000-0100000 @ gatekeeper . ddp . state . me . us> from "David Miller" at Apr 25, 95 11:37:35 am
Phone: 301-854-6889 
David Miller writes:
>Naturally, this whole discussion is about theory vs practice.  Both sides 
>are pointing out things which are true.  I think Mr. Cohen's position is 
>approximately stated as: 'If you can't *prove* it's secure, it could have 
>problems. Particularly suspect areas are in the boundary conditions which 
>few if any programmers test or even consider'
>
>To which Marcus, among others have said: 'This theory stuff is nice in a 
>classroom, but doesn't happen in the real world.  If you can give us an 
>example of where your theory meets up with our software, cough it up.'

	Oh, I'm a big believer in formal proofs and verification.
In fact, a formally proven-to-be secure firewall that has been
completely tested for all boundary conditions and totally vetted
for trapdoors, trojans, cholesterol, and bugs *WILL* be an awesomely
good firewall.

	Here's a tongue in cheek proof that a formally verified
100% tested firewall is totally secure:
	A) Assume all traffic between nets must pass through
		the firewall
	B) Assume that it takes 10 years to completely test
		all the firewall's code points
	C) Assume that it takes 10 years to check every line
		of code in the kernel, the utilities, and the
		compilers and code generators used to compile
		it.
	D) Since it takes about a year to prove that Hello.c
		is secure, using formal methods, assume that
		for a minimalist firewall it'll take about
		600 years and 1,000,000 pages of proofs

Therefore: the firewall will not pass any traffic
	for at least 620 years by which time it will be
	completely moot and nobody will use it so it will be
	still secure.

	For the clue-impaired:   :)    :)    :)


	Kidding aside, I'm a big believer in testing stuff and
I typically spend as much time writing test harnesses as I do
function points. The discussion has gotten dragged a bit off
base because testing is a great issue to engage in vendor-bashing
over. Since it's axiomatic that no amount of testing is ever
enough, then it's always easy to point your finger and say
"you should test more."  It's interesting that I'm the only
representative from a firewall vendor that has touched the
discussion. :) You'd think that people would be *impressed*
by the fact that our source code has been published and reviewed
by all the experts and hackers out there, including our competition.
You'd think people would be *impressed* by the fact that we have
published our design criteria and how/why we do what we do. Ask
the other guys what goes on inside their black boxes and they'll
tell you "trust us."

mjr.
Follow-Ups:
References:
Indexed By Date Previous: Ratings of posts
From: padgett @ tccslr . dnet . mmc . com (A. Padgett Peterson, P.E. Information Security)
Next: Re: Firewall failure modes (was Re: performance)
From: "Marcus J. Ranum" <mjr @ tis . com>
Indexed By Thread Previous: Re: Firewall failure modes (was Re: performance)
From: Frank Wortner <frank @ prodigy . com>
Next: Re: Firewall failure modes (was Re: performance)
From: greep @ datatools . com (Steven Tepper)
Google
 
Search Internet Search www.greatcircle.com