> The NETWORK domain is untrusted in that users can potentialy subvert a
> process that is running (say a proxy). If the system is MLS, and the
> proxy code is held within the system damain, the proxy code itself
> cannot be corrupted. I previously cited the example of sendmail - a
> product that still has gold nuggets to find. Under the Harris MLS
> system, only *trusted* processes running under specific privileges can
> actually make socket style connections. If you are going to grant these
> privileges and have done no or little sanity checks on the program you
> are asking for trouble.
> The Harris MLS system was also evaluated with a MLS Networking component
> (B1 MDIA) - part of this evaluation was that only authorized processes
> could use network (or socket) functions. Each interface has a MLS definition
> in the case of the CyberGuard it is the special case of a single level
> network labelled NETWORK.
So MLS can be extended to cover network devices. I thought only
type-enforcement could do that 8^)
Really, that's the natural thing to do with any security model; extend
it to cover the new domain. What level of granularity do you have
over access to sockets? Is a proxy given carde blanc or limited
Please tell everyone that a level 1 binary created by a proxy (with
a bug) can't open a socket. I assume that you limit that ability to
trusted code right?
> The proxies (or whatever that establishs network connections between
> interfaces), even if it is a multi stage hop, are being evaluated by
> the European ITSEC to a level of E3 on the Harris CyberGuard.
> We however, are not at the level of formal proof.
> someone else posted:
> > Your previous arguments only intend to assert the fact that the firewall
> > *SYSTEM* is secure but not the firewalling functions themselves. N'est pas?
> My previous arguments were, as I originally stated, to show that the
> firewall itself is difficult to penetrate, and then followed on to refer
> (albeit briefly) to firewall protection of "inside" and "outside".
Without host securiy you have no way of telling if your firewall is
the firewall that you started with. I too disagree strongly with the
statement to which you took exception.
Yes and MLS is a natural way to separate "trusted" and "untrusted"
How does your MLS system stack up against chroot bandaids? <insert wide grin>
Secure Systems Engineering
AT&T Bell Labs