RE: "top secret" security does require blocking SSH

[rdobbins () netmore net]

They're well aware of the excellent points you make, I assure you.

-----Original Message-----
From: Alexei Roudnev [mailto:alex () relcom net]
Sent: Monday, July 10, 2000 10:29 AM
To: rdobbins () netmore net; nanog () merit edu; gwoods () acm org
Subject: Re: "top secret" security does require blocking SSH


Btw, it's NOT ENOUGPH.

I mean - if , for example, Dod have hight classifyed network, and they cut
all connections to the Internet (that's obvious) -
they are not yet SAFE. They should prevent access to their network from the
computers used for the Internet network - too. It
can be - notebooks which are used for the classified access, but sometimes
are used to read a public mail; that should not be
dialup access, etc etc. On the other hand, it's not difficult to allow mail
exchange with Internet (of course, no any objects,
word files, attachments; but text messages are non unsecure from the network
(not content) piont of view.

And talking about original message - it's not about 22'th port; the problem
appear if you allow ANY kind of access not
controlled by the network admin. In my practice, we restricted 22 port and
allowed telnet port, because we have used one time
passwords (but ssh with OTP is much more secure than telnet with OTP).

And just again, this is only a small brick in the wall.

----- Original Message -----
From: <rdobbins () netmore net>
To: <nanog () merit edu>; <gwoods () acm org>
Sent: Sunday, July 09, 2000 1:48 PM
Subject: "top secret" security does require blocking SSH


> You are correct, it cannot.
>
> I've spent a good portion of my career working on networks which are
> CLASSIFIED or higher.  There are very strong restrictions on
> simultaneous interconnection between systems of varying
> classifications.  In most cases, complete -physical- isolation is
> required, although waivers may be obtained on a case-by-case basis.  The
> enforcement of these policies of course varies between agencies,
> bureaus, and departments.  I remember just a year-and-a-half ago
> installing fibre switchboxes on some USAF nodes which at various times
> needed to have connectivity to networks of varying security levels.
> This is slowly changing at the lower levels due to the advances in
> proxying technology, etc., but when you reach TS/SCI or SAP/SAR it's a
> different story, and understandably so.
>
> As a side note, the reason the first version of Microsoft Exchange, 4.0,
> was so late was due in large part to the fact that Microsoft wanted to
> bid on the Defense Messaging System, or DMS contract.  DMS supports all
> levels of classification and types from UNCLASSIFIED all the way through
> FLASH, CRITIC, etc.  The powers that be understand that an
> application-level service like messaging has to be able to cross such
> boundaries, but only with strong rules which prevent the dissemination
> of information of higher sensitivity to those who aren't cleared for
> same.
>
> To the best of my knowledge, there are no networks in DoD, the armed
> forces, or various other arms of the U.S. government which are ranked as
> SECRET or above which have any form of Internet connectivity at anything
> less than two removes.  One of the reasons that it's so hard for them to
> come up with a coherent and workable overall information security policy
> is because of the (very necessary, more so than the typical slashdotter
> tends to believe) compartmentalization of information - and hence, IT
> resources - within various organizations which deal with sensitive
> information and issues.
>
> "Greg A. Woods" wrote:
> > [ On Sunday, July 9, 2000 at 08:22:46 (-0700), Roeland M.J. Meyer wrote:
]
> > > Subject: RE: RBL-type BGP service for known rogue networks?
> > >
> > > In many organizations, a system isn't considered secure unless
> > > port 22 is blocked, at the firewall. It is, after all, the secure
> > > port, that must mean that you have to block it to be secure,
> > > right?
> >
> > Yes, that's exactly right, but not for the reasons you imply.
> >
> > If the primary concern of a security policy is that covert channels must
> > be prevented then it is absolutely mandatory that port-22 be blocked
> > since it is by definition a covert channel.
> >
> > However having any kind of Internet connection, proxied or not, into a
> > site where sensitive information must not be allowed to be leaked is in
> > effect a violation of the policy.
> >
> > Unfortunately we're rapidly approaching (if we're not already there) a
> > state of affairs where it is impossible to technically prevent inbound
> > and outbound covert channels wherever people are required to interact in
> > a privileged way with security sensitive systems.  A paper given at last
> > year's ACM New Security Paradigms Workshop by Dean Povey ("Optomistic
> > Security: A New Access Control Paradigm") suggests that it might be
> > better to adopt the view that security officers should "Make the users
> > ask forgivness not permission."  Whether this paradigm can successfully
> > be delployed in top secret (or higher) environments or not is yet to be
> > discussed.  I suspect it can but then I'm not an expert in traditional
> > forms of high security.
> >
> > --
> >                                                         Greg A. Woods
> >
> > +1 416 218-0098      VE3TCP      <gwoods () acm org>      <robohack!woods>
> > Planix, Inc. <woods () planix com>; Secrets of the Weird <woods () weird com>
>
> --
> -----------------------------------------------------------
> Roland Dobbins <mordant () gothik org> // 818.535.5024 voice
>
>  One of the surest signs of the philistine is his reverence
>  for the superior tastes of those who put him down.
>
>                 -- Pauline Kael