mdr @
vodka .
sse .
att .
com writes:
>So you believe that OS security has nothing to do with network security?
Actually, in this case I think that's a reasonable
position to take. I wouldn't expect any of the readers of this
list who have a vested interest in secure operating systems to
agree with that view, of course. :)
Network-1's box acts like a super-smart bridge, just like
a SunScreen. It's hard to attack because it's not there. The "not
there" effect is, against network-based attacks, infinitely
stronger than any host-based security I can imagine. Basically,
firewalls that operate in the super-smart bridge mode are going
to look at the contents of packet headers and data but don't
execute anything *from* the contents. So you're not able to
send it a packet that will trigger a sendmail hole, or any of
that nonsense - the box itself doesn't listen to packets directed
to itself.
Consider a CheckPoint or a SunScreen. CheckPoint's
product runs in kernel space, as does SunScreen. Neither
of them is running in a protected virtual address space.
They are in the kernel, they are below the application
interface. Literally speaking, they are below *UNIX* and the
fact that they are running on a "UNIX box" is completely
irrelevant. Both CheckPoint and SunScreen protect all that
flimsy UNIX stuff by hiding it from the attacker. In
CheckPoint's case, the UNIX stuff is screened using their
in-kernel screening engine. In SunScreen, ditto, plus the
SunScreen can also do the "invisibility trick" to further
protect itself from direct attack. What's the difference?
>DOS is a giant step backward in terms of security.
You're conceptually locked into the idea that you're
comparing two operating systems. You're right that DOS'
security sucks, but that's not the point, here. DOS is acting
as a program loader for a program that is, essentially "firmware"
for something that looks and acts like a smart bridge running
a "firmware" kernel that isn't concerned about attack from
over the network because it, literally, isn't talking to
the network: it is just sucking chunks of memory back and
forth, after checking an in-memory truth table, updating it
as necessary, and that's it.
>The problem is that even stripped down, UNIX is still big and
>complicated. But DOS is too small to protect itself.
Even stripped down, UNIX is a pain in the butt. Frankly,
I love the idea of booting straight into a carefully coded meta
proxy that does everything including its own memory management
and buffering and doesn't have to worry about daemons, weird
NFS backdoors in the kernel, etc, etc.
>So FireWall/Plus has now *become* an operating system.
Not quite, really, it's just a program. "Operating
system" assumes a lot of baggage about multitasking, multiuser,
daemons, dragons, different permission states, etc. My understanding
of how it works is that it's a just a big program that acts
a lot like firmware except it boots from a primary loader called
DOS.
>Agreed, its not a bad idea. Is it as secure as a proxy on a gateway? No.
>Why? I can put the proxy in a can and watch it run.
Here I have to disagree with you, which is a weird
position to be in as the "inventor" of proxy firewalls. :)
Debuggers for DOS programs are a dime a dozen and we're
talking about a DOS program.
Most importantly, though, the fact that it's not
running a full kernel with all those daemons and multiprocesses
and a full protocol stack and all that stuff - that makes it
a HELL of a lot easier to get right than a UNIX machine.
>W/o some independent third party doing analysis,
>all I have is your word "trust me its secure."
Here I have to step forward and confess to being an
independent third party who once did an in-depth red-team
analysis of Firewall/Plus. And I have to say that the
design is damn nice and I like the fact that they got rid
of UNIX. As an independent consultant, I spent several days
cooking up magic packets and tossing them at a Firewall/Plus
on my home LAN, and let me tell you, it was a bOring lesson
in futility. Basically, the thing isn't there to attack. It's
not unlike trying to break into a bridge or repeater. I
spent more time trying to tickle the rules tables and overload
it with packets. A fast BSDI machine was able to bring it
to its knees with packets and it did what any self-respecting
smart bridge would do: it threw them away and let TCP retries
do their thing.
>Now if one were to start from the ground up to build a special purpose
>OS just for firewalling, you could design something incredibly secure.
Special purpose progrem just for firewalling is pretty
much what they built. You're catching on. It's not an OS because
it doesn't have to be.
>But it would be a lot of work.
Only if you tried to add deamons and a protocol stack
and all that crap that multiuser multitasking systems are
saddled with. Your conceptual fixedness is frustrating.
>And it would require third party
>evalutation.
Any vendor who is producing a firewall product, if they
are not completely insane, will have knowledgeable third parties
red-team their products. But even that boils down to who is a
knowledgeable expert and whether or not they are credible.
Pissing contests of "whose expert is bigger" is a waste of
time. Third party product evaluation (unless you are in
orange book la-la land) is for the benefit of the vendor,
not for giving the customer warm fuzzies. I red-teamed
Firewall/Plus for Network-1, and I'll leave it to you to
decide whether or not I'm qualified to evaluate the technical
merits of firewall implementations. That's a matter of
opinion.
mjr.
--
Chief Scientist, V-ONE Corporation -- "Security for a connected world"
work http://www.v-one.com
personal http://www.clark.net/pub/mjr/mjr-top.html
Follow-Ups:
|
|
