Firewall Wizards mailing list archives

Re: How automate firewall tests

From: Crispin Cowan <crispin () novell com>
Date: Sun, 27 Aug 2006 13:36:50 -0700

Chris Blask wrote:

At 02:14 PM 22/08/2006, Patrick M. Hausen wrote:

On Tue, Aug 22, 2006 at 01:28:13PM -0400, Chris Blask wrote:

o  "You don't know what you don't know."

Which leads directly to Marcus' well known rant about positive
security models.

Indeed.  Problem is, I don't believe in positive security models in the real world (with the theoretical exceptions 
of some military or SCADA networks that actually don't connect to the PSTN [still waiting to see one]).

I beg to differ. Even crappy packet-based firewalls are built on a
positive security model: block all ports except 22, 25, 80, and 443.
That's a positive security model. Perhaps not at a granularity that
satisfies MJR, but it assuredly is a positive security model, and it is
common as dirt.

What's going on is that network behavior up to layer 4 is very regular,
and thus can be regulated by a positive security model. Network traffic
from layer 5-7 (and 8 :) is so irregular that positive security models
break down, and so vendors resort to nasty kludges like negative
security models.

If we start now we can build a ground-up secure network just in time for it to be completely obsolete and we all 
retire in frustration..

The trick to using positive security models is to find an element of
system behavior that is sufficiently regular that you can feasibly
manage the positive security model. That is what is going on in my
AppArmor <http://opensuse.org/Apparmor> product, which uses a positive
security model based on file accesses represented by pathnames. SELinux
uses a positive security model based on inodes and extended attributes,
and has a consequent manageability problem. Many other host intrusion
prevention systems use negative security models, and have consequent
security problems.

Crispin

-- 
Crispin Cowan, Ph.D.                      http://crispincowan.com/~crispin/
Director of Software Engineering, Novell  http://novell.com
     Hack: adroit engineering solution to an unanticipated problem
     Hacker: one who is adroit at pounding round pegs into square holes


_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: How automate firewall tests, (continued)
- - - Re: How automate firewall tests Marcus J. Ranum (Aug 18)
    - Re: How automate firewall tests Isaac Van Name (Aug 20)
    - Re: How automate firewall tests Marcus J. Ranum (Aug 20)
    - Re: How automate firewall tests Tim Shea (Aug 21)
    - Re: How automate firewall tests Paul D. Robertson (Aug 21)
    - Re: How automate firewall tests ArkanoiD (Aug 21)
    - Re: How automate firewall tests Marcus J. Ranum (Aug 21)
    - Re: How automate firewall tests Chris Blask (Aug 22)
    - Re: How automate firewall tests Patrick M. Hausen (Aug 22)
    - Re: How automate firewall tests Chris Blask (Aug 23)
    - Re: How automate firewall tests Crispin Cowan (Aug 28)
    - Re: How automate firewall tests Marcus J. Ranum (Aug 28)
    - Re: How automate firewall tests Marcus J. Ranum (Aug 28)
    - Re: How automate firewall tests Cat Okita (Aug 29)
    - Re: How automate firewall tests Marcus J. Ranum (Aug 23)
    - Re: How automate firewall tests Jim Seymour (Aug 23)
    - Re: How automate firewall tests Tina Bird (Aug 23)
    - Re: How automate firewall tests lordchariot (Aug 23)
    - Re: How automate firewall tests Jim Seymour (Aug 21)
    - Re: How automate firewall tests Chris Byrd (Aug 21)
    - Message not available
    - Re: How automate firewall tests Marcus J. Ranum (Aug 22)

(Thread continues...)