Firewalls: Re: Re[2]: Product selection

Firewalls
(January 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Re[2]: Product selection
From:	mdr @ vodka . sse . att . com
Date:	Thu, 25 Jan 1996 18:00:19 -0500 (EST)
To:	jon @ london . hcsc . com (Jon Shallow)
Cc:	firewalls @ GreatCircle . COM
In-reply-to:	<9601251829 . AA14556 @ london . csd . harris . com> from "Jon Shallow" at Jan 25, 96 06:29:08 pm

Jon,

Nice posting
> 
> The NETWORK domain is untrusted in that users can potentialy subvert a
> process that is running (say a proxy).  If the system is MLS, and the 
> proxy code is held within the system damain, the proxy code itself 
> cannot be corrupted.  I previously cited the example of sendmail - a
> product that still has gold nuggets to find.  Under the Harris MLS
> system, only *trusted* processes running under specific privileges can
> actually make socket style connections.  If you are going to grant these
> privileges and have done no or little sanity checks on the program you
> are asking for trouble.
> 
> The Harris MLS system was also evaluated with a MLS Networking component
> (B1 MDIA) - part of this evaluation was that only authorized processes
> could use network (or socket) functions.  Each interface has a MLS definition
> in the case of the CyberGuard it is the special case of a single level
> network labelled NETWORK.

So MLS can be extended to cover network devices.   I thought only
type-enforcement could do that 8^)
Really, that's the natural thing to do with any security model; extend
it to cover the new domain.  What level of granularity do you have
over access to sockets?  Is a proxy given carde blanc or limited
permissions?

Please tell everyone that a level 1 binary created by a proxy (with
a bug) can't open a socket.  I assume that you limit that ability to 
trusted code right?

> 
> The proxies (or whatever that establishs network connections between
> interfaces), even if it is a multi stage hop, are being evaluated by
> the European ITSEC to a level of E3 on the Harris CyberGuard.
> We however, are not at the level of formal proof.

Excellent.

> someone else posted:
> > 
> > Your previous arguments only intend to assert the fact that the firewall
> > *SYSTEM* is secure but not the firewalling functions themselves.  N'est pas?
> 
> My previous arguments were, as I originally stated, to show that the
> firewall itself is difficult to penetrate, and then followed on to refer
> (albeit briefly) to firewall protection of "inside" and "outside".

<RANT>
Without host securiy you have no way of telling if your firewall is
the firewall that you started with.  I too disagree strongly with the
statement to which you took exception.
</RANT>


Yes and MLS is a natural way to separate "trusted" and "untrusted"
networks.

How does your MLS system stack up against chroot bandaids?  <insert wide grin>

Mark Riggins
Secure Systems Engineering
AT&T Bell Labs

References:

Re: Re[2]: Product selection
From: jon @ london . hcsc . com (Jon Shallow)

Indexed By Date	Previous:	HAALP!@ EMAIL IS FIREWALL!1! From: Morph <morph_1 @ netaxs . com>
Indexed By Date	Next:	Re: SSL and S-HTTP Proxy Status (as of 11 January 1996) From: Bill Stout <bstout @ osc . hitachi . com>
Indexed By Thread	Previous:	Re: Re[2]: Product selection From: jon @ london . hcsc . com (Jon Shallow)
Indexed By Thread	Next:	Re: Re[2]: Product selection From: Ian Johnstone-Bryden <ianj-b @ dial . pipex . com>