Nice posting BTW.
[preface info removed]
>idea is that it should NOT be possible for one person to completely manage
>all parts of a gateway system. If implemented correctly, it takes at least
>two persons to break the protection, which reduces the probability of IT
I completely agree with the theory and practice when applied to other areas
(intelligence, nukes, etc.). The problem is that the application of the
two-person rule in a computer environment is extremely difficult to implement.
(Yes, I know some ancient computers still use this technique, but it is still
very difficult to implement).
Two persons must be present at all times
As an example, many people require two passwords for the system administrator
to log into a secure system. The sysadmin holds one password, the security
chief has the other. Both must be present for the sysadmin to log in.
What often will occur is one (or even both) of the persons will leave their
terminal (momentarily, of course) to get a cup of coffee, use the bathroom,
or even be distracted for a few seconds, etc. Within seconds, the dirty deed
Two persons must have the same level of expertise
Another important factor is that both individuals have the same level of
expertise, so that an unauthorized act could be detected by the other party.
In the real world, you will seldom find two individuals with the same level
of expertise. The disparity will allow the more expert of the two individuals
to "explain away" the mischievous act that was perpetrated.
Adequate logging must be performed
It would be nice if every command was logged. However, this does not provide
adequate protection in the real world. Logged commands need to be understood
in the context in which they are executed. As an example, suppose the person
goes into an editor, does some magic, redefines certain logicals, symbols, etc.,
and then exits the editor. In most cases, the activities in the editor won't be
logged. All you will usually see is the command to enter the editor and the
next command after the user has exited the editor. If every keystroke is going
to be captured and then replayed, remember to allow for the session to be
back at various speeds (slow motion) so that the session can be studied in
- reducing the possibility that important data/mischief is overlooked.
3rd party review
Also comes the unpleasant task of a 3rd party reviewing the logged information
to ensure that the two individuals weren't working together (not as improbable
as one would think). Of course, the 3rd party must also have the same
technical level of expertise as the other two individuals so that mischief
could be detected.
I suspect that after reviewing the 10th or 20th innocent session, that the 3rd
party will start to get careless and overlook the details of the following
(if they are looked at at all).
As stated earlier, when working with intelligence, or nuclear weapons, the
two-man rule is an absolute necessity and must be observed. However, it bogs
down and becomes difficult to implement in the real computer world where we
all live and work. It may be implementable in the short term, but I have
serious doubts as to the ability to implement it over the long-term.
Bottom Line: This is really more of a management problem than technical problem
and can often be handled through adequate policies, education, etc. Security
has to be cheap and as manpower non-intensive as possible so that it won't bog
down in the implementation - the result of which is the (fully auditable)
of security rather than actual security. (Some implementations of RACF /
ACF2 come to mind).