Nice commentary, lots of excellent points.
> MLS (Multilevel Security) is a mandatory protection mechanism required
> to meet the Orange Book B or A level requirements. B1 is the lowest
> Orange Book rating that supports MLS, A1 being the highest. The nice
> thing about MLS (also about Type Enforcement) is that the mechanism is
> explicitly built to fend off serious attacks against system security.
> Both mechanisms "label" all programs and data within the system and
> control access according to rules that are applied to all accesses and
> that can't be changed during normal system operation.
right on :)
[ snip more good stuff ]
> Here are some things Type Enforcement lets us do that we couldn't
> do as well with MLS protections:
> 1) Protect the integrity of firewall code. There's nothing in MLS
> restrictions that prevents you from installing subverted software.
> You can use MLS to write-protect some software and, if you're careful,
> you can make it difficult to substitute subverted software for
> application software. But it's not something the MLS concept is
> explicitly designed to do.
MLS can do this trivially by labeling system software at level 0 and
executing the code at level 1. Running programs are thus unauthorized
to change their content, or the content of other programs. Its a "no
write down" model. We've been using that for trojan horse protection
for years now.
> 2) Protect applications from one another. At its best MLS can protect
> one network from another. Sidewinder associates separate protection
> domains with separate TCP/IP ports. The connections associated with a
> particular application go directly to that application. If an attacker
> manages to overcome one application, Type Enforcement blocks any
> attacks on other applications, even those serving the same network.
Not sure what you mean here. We certainly have separation of address
space, that's C2 object reuse. Also some MLS systems have extensions
to apply policy to network connections.
> 3) Fast intrusion detection. Type Enforcement protections are tailored
> to the access requirements of the installed applications. An attack
> can only progress if the applications are made to misbehave and to
> access system resources in improper ways. These access violations
> are immediately detected and can be configured to generate an immediate
MLS has alarms too. Least privilege systems (B2 and up) can enumerate
the types of access that the application is allowed. Type enforcement
may be more flexible, I guess it depends on the implementation. C2
and higher can monitor forks, execs etc and look for odd behavior.
> Basically, MLS is designed to protect confidentiality. Firewalls need
> finer grained protection to maintain their integrity. MLS is better
> than nothing. Type Enforcement, however, is really designed for the job.
The confidentiality model can be used and/or expanded to handle other
types of problems as demonstrated above. Type Enforcement appears to
be a general model that is useful for firewalls. However, there are
lots of MLS systems out there that can be used as firewalls.
I think that both models are useful. The OB is showing its age, but
finds new territory w/ firewalls. I would give *lots* of points to a
vendor who implements their firewall on either model.
Secure Systems Engineering
AT&T Bell Labs