Rick Smith asks:
>
> The following is my own point of view based on my knowledge of
> Sidewinder. I'd really like to see a similar post from someone more
> closely familiar to the Harris product.
>
Using good old english colloquialism, Rick Smith has, in his usual style,
thrown down the gauntlet.....
Consider a venn diagram of the form
sssssssss nnnnnnnnnn
s x n
s n.s n
s n...s n
s SYSTEM n...s NETWORK n
s DOMAIN n...s DOMAIN n
s n.s n
s x n
sssssssss nnnnnnnnnn
Assertion 1:
Any activity that comes in over a network interface can only operate
in the NETWORK Domain.
Assertion 2:
Any system management activity can only operate in the SYSTEM Domain.
Assertion 3:
Where the two domains overlap, there are enforced MLS controls in place
to make sure that only that which is allowed can transfer between the domains.
Assertion 3 translates to:
Data can be read from the SYSTEM Domain by the NETWORK Domain, but,
unless the process is MLS trusted, a process cannot write from the
NETWORK Domain into the SYSTEM domain.
These MLS controls are the parts that are evaluated (not just designed to
meet) by Govermental bodies both in the USA and Europe.
What does this mean in practice ?
Take the well known sendmail, flush with a rich set of features, some of
which are still to be found.
A mail packet comes in which starts up sendmail in the NETWORK Domain.
sendmail is able to read the sendmail.cf file from the SYSTEM Domain, along
with alias files, MX records etc. The executable code of sendmail is READONLY
in that the executable is held in the SYSTEM Domain.
Assume that sendmail was installed badly, and is still running as a 'root'
process. A 'feature' is found where the incoming mail session is able to
take control.
'root', when operating in the NETWORK Domain, is subject to the normal
MLS controls.
This mail session at worst can only corrupt the NETWORK domain, in
particular, only the Virtual Address Space of this mail session. The
mail session can never update the SYSTEM Domain where, for example,
all the Firewall Configuration information and Operating System is held.
Furthermore, damage is limited within the NETWORK Domain, by the set of
features found in most multi-tasking operating systems. You would never
expect someone else's data to appear on your screen - the operating system
should keep tasks separate (a form of Type Enforcement).
So far, we have a firewall with an integrity of operation that is hard to
corrupt. [Incidently, Harris received (Sep '93) a certificate
from NCSC who evaluated the Operating System and Networking to B1 MDIA.
This OS/Networking combination has recently been RAMPed (Oct '95)].
So how does the firewall control the data flowing through it ?
The bottom line is that the firewall will only do what it is told to do.
The strength of a MLS system is that the configuration rules are held in
the SYSTEM Domain, and therefore cannot be modified by a NETWORK Domain
process.
How strong are these rules ? Are there ways to get around them?
These are valid questions for any firewall. The Harris CyberGuard is
currently undergoing an European ITSEC E3 evaluation, part of which is
specifically targeted towards testing the rule strength of mechanism.
I have also responded to some of Rick's comments below.
> smcc @
pipeline .
com (System Management Consulting Company) asks:
>
> >I have a client considering a purchase of either - Harris CyberGuard or
> >Secure Computing Sidewinder - They seem to be comprable products
> >-Cyberguard says they feature B-1 and MLS while Sidewinder pushes Type
> >Enforcement. Which is the better technology?. Any help would be
> >appreciated.
>
> The following is my own point of view based on my knowledge of
> Sidewinder. I'd really like to see a similar post from someone more
> closely familiar to the Harris product.
>
> MLS (Multilevel Security) is a mandatory protection mechanism required
> to meet the Orange Book B or A level requirements. B1 is the lowest
> Orange Book rating that supports MLS, A1 being the highest. The nice
> thing about MLS (also about Type Enforcement) is that the mechanism is
> explicitly built to fend off serious attacks against system security.
> Both mechanisms "label" all programs and data within the system and
> control access according to rules that are applied to all accesses and
> that can't be changed during normal system operation.
>
> We developed Sidewinder based on our experiences building LOCK, a
> system designed to meet the more stringent A1 requirements. LOCK
> contained both Type Enforcement and MLS protections. Sidewinder omits
> the MLS protections and retains Type Enforcement.
>
> Here are some things Type Enforcement lets us do that we couldn't
> do as well with MLS protections:
>
> 1) Protect the integrity of firewall code. There's nothing in MLS
> restrictions that prevents you from installing subverted software.
> You can use MLS to write-protect some software and, if you're careful,
> you can make it difficult to substitute subverted software for
> application software. But it's not something the MLS concept is
> explicitly designed to do.
Application software is something most people do not want to run on
their firewalls as they do not like users logging into the firewall.
As far as the CyberGuard goes, proxies are treated as Trusted
Applications, where the executable is held in the SYSTEM Domain.
Both MLS systems and TE systems have to have a mode under which new
software can be loaded in under controlled conditions. At this stage
MLS or TE systems do not know about subverted software.
>
> 2) Protect applications from one another. At its best MLS can protect
> one network from another. Sidewinder associates separate protection
> domains with separate TCP/IP ports. The connections associated with a
> particular application go directly to that application. If an attacker
> manages to overcome one application, Type Enforcement blocks any
> attacks on other applications, even those serving the same network.
I trust my description above of the separate domains show the strength of
MLS working. Harris MLS goes much further than network separation.
Any reasonable Operating System separates different activities by use
of Virtual Address Space separation. The operating system space is the
common overlap, and this is where MLS and TE score is giving a warmer
feeling of security.
>
> 3) Fast intrusion detection. Type Enforcement protections are tailored
> to the access requirements of the installed applications. An attack
> can only progress if the applications are made to misbehave and to
> access system resources in improper ways. These access violations
> are immediately detected and can be configured to generate an immediate
> alarm.
Any firewall needs sensible, granularity selectable auditing. Too much,
and it is never digested, too little and events are missed. Alerting /
alarming on abnormal conditions are becoming a pre-requisite these days.
Part of the B1 MLS requirements is auditing (almost anything that can be
audited is auditable), and the Harris CyberGuard has standard tools that
reduce this audit data stream to alertable conditions, which can raise
immediate alarms.
>
> Basically, MLS is designed to protect confidentiality. Firewalls need
> finer grained protection to maintain their integrity. MLS is better
> than nothing. Type Enforcement, however, is really designed for the job.
Standard MLS operating systems by themselves are somewhat limited in a
networking environment. Add in Networking and Firewalling filters /
proxies, along with years of Secure/Networking/Firewalling experience
with Goverment Approval, then only the CyberGuard is designed for the job.
>
> Rick.
> smith @
sctc .
com secure computing corporation
>
Regards
Jon
--
Jon Shallow, Harris Computer Systems Corporation
Jon .
Shallow @
mail .
hcsc .
com
Tel +44 (0) 1276 686886
Fax +44 (0) 1276 678733
References:
|
|
