> From: proff @
suburbia .
net
> Date: Fri, 13 Jun 1997 14:20:35 +1000 (EST)
>
> > > From: Consultancy Group <spreston @
ozemail .
com .
au>
> > We do all this with Solaris, but I don't think many others do. If I
> > remember correctly, Secure Computing and DEC may have done this. If
> > Jon Spencer is still with us, he can let us know about DG. Is filtering
> > on security labels and assigning default labeling a common firewall
> > requirement in Australia?
> >
> > paul
>
> Filtering on security labels will become useful once something actually
> starts generating them.
>
> Cheers,
> Julian.
There are half a dozen or more companies with products that use security
labels internally (Argus, HP, DEC, SCO, DG, Harris, Bull, ICL, etc.).
But in addition to that, labels can be generated by a gateway/firewall/
router. In fact, the Australian document requires this for some types
of firewalls as listed in the document.
I assume that at least some of the other vendors do what we do -- allow
the firewall/gateway to assign a security label to unlabeled traffic,
based on either host or network addresses. This label then travels with
the packets and can be used for routing and filtering elsewhere in the
network.
For example, a LAN where sensitive information is processed can be
connected into the general company network, and all traffic from that
LAN can be marked "sensitive". As long as the routers, etc. on the
company backbone respect that, they can prevent the packets from flowing
to either the Internet or to other untrusted LANs. The originating
hosts can be dumb, label-unconscious hosts such as W95 boxes, or they
can be MLS systems, or they can be systems without MLS capabilities
but having label-aware networking that will apply the labels (such as
with the Global Internet NT networking stack).
It's not perfect, but it is quite useful and DOES stop a lot of
unwanted packet spillage into dangerous networks. And there are
problems. CISCO, for example, used to strip out these IP options
instead of just passing them through (they're official options BTW).
Very unfriendly to say the least. I imagine CISCO still does this
but maybe someone on the list knows for sure. We had a customer
that needed hundreds/thousands of these systems, and wanted to use
CISCO, but CISCO dismantled part of their required security policy.
paul
---------------------------------------------------------
Paul McNabb Argus Systems Group, Inc.
Vice President and CTO 1809 Woodfield Drive
mcnabb @
argus-systems .
com Savoy, IL 61874 USA
TEL 217-355-6308
FAX 217-355-1433 "Securing the Future"
---------------------------------------------------------
|
|
