Re: [fw-wiz] How automate firewall tests
- From: Crispin Cowan <crispin@xxxxxxxxxx>
- Date: Sun, 27 Aug 2006 13:36:50 -0700
Chris Blask wrote:
At 02:14 PM 22/08/2006, Patrick M. Hausen wrote:I beg to differ. Even crappy packet-based firewalls are built on a
On Tue, Aug 22, 2006 at 01:28:13PM -0400, Chris Blask wrote:Indeed. Problem is, I don't believe in positive security models in the real world (with the theoretical exceptions of some military or SCADA networks that actually don't connect to the PSTN [still waiting to see one]).
o "You don't know what you don't know."Which leads directly to Marcus' well known rant about positive
security models.
positive security model: block all ports except 22, 25, 80, and 443.
That's a positive security model. Perhaps not at a granularity that
satisfies MJR, but it assuredly is a positive security model, and it is
common as dirt.
What's going on is that network behavior up to layer 4 is very regular,
and thus can be regulated by a positive security model. Network traffic
from layer 5-7 (and 8 :) is so irregular that positive security models
break down, and so vendors resort to nasty kludges like negative
security models.
If we start now we can build a ground-up secure network just in time for it to be completely obsolete and we all retire in frustration..The trick to using positive security models is to find an element of
system behavior that is sufficiently regular that you can feasibly
manage the positive security model. That is what is going on in my
AppArmor <http://opensuse.org/Apparmor> product, which uses a positive
security model based on file accesses represented by pathnames. SELinux
uses a positive security model based on inodes and extended attributes,
and has a consequent manageability problem. Many other host intrusion
prevention systems use negative security models, and have consequent
security problems.
Crispin
--
Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/
Director of Software Engineering, Novell http://novell.com
Hack: adroit engineering solution to an unanticipated problem
Hacker: one who is adroit at pounding round pegs into square holes
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
- Follow-Ups:
- Re: [fw-wiz] How automate firewall tests
- From: Marcus J. Ranum
- Re: [fw-wiz] How automate firewall tests
- References:
- Re: [fw-wiz] How automate firewall tests
- From: Marcus J. Ranum
- Re: [fw-wiz] How automate firewall tests
- From: Isaac Van Name
- Re: [fw-wiz] How automate firewall tests
- From: Marcus J. Ranum
- Re: [fw-wiz] How automate firewall tests
- From: Tim Shea
- Re: [fw-wiz] How automate firewall tests
- From: Marcus J. Ranum
- Re: [fw-wiz] How automate firewall tests
- From: Chris Blask
- Re: [fw-wiz] How automate firewall tests
- From: Patrick M. Hausen
- Re: [fw-wiz] How automate firewall tests
- From: Chris Blask
- Re: [fw-wiz] How automate firewall tests
- Prev by Date: [fw-wiz] Possible to do torrents through firewalls and via a proxy?
- Next by Date: Re: [fw-wiz] How automate firewall tests
- Previous by thread: Re: [fw-wiz] How automate firewall tests
- Next by thread: Re: [fw-wiz] How automate firewall tests
- Index(es):
