Firewall Wizards mailing list archives
Re: How automate firewall tests
From: Crispin Cowan <crispin () novell com>
Date: Sun, 27 Aug 2006 13:36:50 -0700
Chris Blask wrote:
At 02:14 PM 22/08/2006, Patrick M. Hausen wrote:On Tue, Aug 22, 2006 at 01:28:13PM -0400, Chris Blask wrote:o "You don't know what you don't know."Which leads directly to Marcus' well known rant about positive security models.Indeed. Problem is, I don't believe in positive security models in the real world (with the theoretical exceptions of some military or SCADA networks that actually don't connect to the PSTN [still waiting to see one]).
I beg to differ. Even crappy packet-based firewalls are built on a positive security model: block all ports except 22, 25, 80, and 443. That's a positive security model. Perhaps not at a granularity that satisfies MJR, but it assuredly is a positive security model, and it is common as dirt. What's going on is that network behavior up to layer 4 is very regular, and thus can be regulated by a positive security model. Network traffic from layer 5-7 (and 8 :) is so irregular that positive security models break down, and so vendors resort to nasty kludges like negative security models.
If we start now we can build a ground-up secure network just in time for it to be completely obsolete and we all retire in frustration..
The trick to using positive security models is to find an element of system behavior that is sufficiently regular that you can feasibly manage the positive security model. That is what is going on in my AppArmor <http://opensuse.org/Apparmor> product, which uses a positive security model based on file accesses represented by pathnames. SELinux uses a positive security model based on inodes and extended attributes, and has a consequent manageability problem. Many other host intrusion prevention systems use negative security models, and have consequent security problems. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com Hack: adroit engineering solution to an unanticipated problem Hacker: one who is adroit at pounding round pegs into square holes _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: How automate firewall tests, (continued)
- Re: How automate firewall tests Marcus J. Ranum (Aug 18)
- Re: How automate firewall tests Isaac Van Name (Aug 20)
- Re: How automate firewall tests Marcus J. Ranum (Aug 20)
- Re: How automate firewall tests Tim Shea (Aug 21)
- Re: How automate firewall tests Paul D. Robertson (Aug 21)
- Re: How automate firewall tests ArkanoiD (Aug 21)
- Re: How automate firewall tests Marcus J. Ranum (Aug 21)
- Re: How automate firewall tests Chris Blask (Aug 22)
- Re: How automate firewall tests Patrick M. Hausen (Aug 22)
- Re: How automate firewall tests Chris Blask (Aug 23)
- Re: How automate firewall tests Crispin Cowan (Aug 28)
- Re: How automate firewall tests Marcus J. Ranum (Aug 28)
- Re: How automate firewall tests Marcus J. Ranum (Aug 28)
- Re: How automate firewall tests Cat Okita (Aug 29)
- Re: How automate firewall tests Marcus J. Ranum (Aug 23)
- Re: How automate firewall tests Jim Seymour (Aug 23)
- Re: How automate firewall tests Tina Bird (Aug 23)
- Re: How automate firewall tests lordchariot (Aug 23)
- Re: How automate firewall tests Jim Seymour (Aug 21)
- Re: How automate firewall tests Chris Byrd (Aug 21)
- Message not available
- Re: How automate firewall tests Marcus J. Ranum (Aug 22)