Re: [fw-wiz] The Mathematics of Relative Security

• Previous message: John Adams: "Re: [fw-wiz] The Mathematics of Relative Security"
• In reply to: Crispin Cowan: "Re: [fw-wiz] The Mathematics of Relative Security"
• Next in thread: Crispin Cowan: "Re: [fw-wiz] The Mathematics of Relative Security"
• Reply: Crispin Cowan: "Re: [fw-wiz] The Mathematics of Relative Security"
• Reply: Mark Tinberg: "Re: [fw-wiz] The Mathematics of Relative Security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Crispin Cowan <crispin@immunix.com>, Chris Pugrud <chris@pugrud.net>
Date: Tue, 21 Sep 2004 12:28:15 -0700 (PDT)

--- Crispin Cowan <crispin@immunix.com> wrote:
> More succinctly, if you ask the question "am I secure?" in a highly
> rigorous fashion, the likely answer is "Hell no" :)

This is distinctly the intuitively obvious answer. The more rigourous answer
is that only insecurity can be proven, testing security reduces to the halting
problem.

1. Test security
2. If you find a problem, stop, the system is insecure
3. If you run out of tests, get more, you obviously missed something
4. return to 1

I'm wondering more if the problem can be reduced to a simple enough model that
it is both rigorous and meaningful.

It is easy to prove the relative security of networks that are air-gapped.
They enjoy absolute relative security because there is no connection between
them.

TCP also introduces a wrinkle that is not easily covered by the set theory I
have learned, or I'm missing something - the concept of one-way membership. If
a "firewall" sits bewteen A and B and enforces the rule that says A can
initiate to B, but B can not initiate to A, then A is relatively secure with
respect to B while B is fully exposed to A. Now expand this to include C, the
DMZ that sits between them (exercise left to the reader to save space). You
start to learn more about why DMZ's work and why they fail (or really fail when
violated). I know that the concepts are obvious to reasonable

Once this is fleshed out you land into the rather thorny issue of highly
restricted but not absolute boundaries. What effect does opening up another
port on the firewall have? I think it's silly to walk down this road until the
simplest model is rigorously fleshed out. What is intuitively obvious, the
relative security when the interactions of three domains is analyzed, is much
harder to analyze when you are talking about complex compartmentalized systems
that have many domains and non-intuitive boundaries.

Good reading, thank you for the links,

Chris

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: John Adams: "Re: [fw-wiz] The Mathematics of Relative Security"
• In reply to: Crispin Cowan: "Re: [fw-wiz] The Mathematics of Relative Security"
• Next in thread: Crispin Cowan: "Re: [fw-wiz] The Mathematics of Relative Security"
• Reply: Crispin Cowan: "Re: [fw-wiz] The Mathematics of Relative Security"
• Reply: Mark Tinberg: "Re: [fw-wiz] The Mathematics of Relative Security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]