> The effort has to do with compartmentalizing access. The point being
> made above, and it's not true of general purpose OS' is that you have to
> use the right access path, authentication mechanism, and be on the right
> account to do _x_ for any value of x. The extrapolation of that point is
> that you can have a Web developer write a CGI that calls /bin/sh, but
> have it be completely useless as a CGI. You can't get around the
> restrictions will shell code, bad programmers, or evil products.
Yes.. I've seen wonderful things done-- unfortunate that so little of them
apply to the general populace.
A firewall made primarily for governmental use (skewed towards GOSIP,
actually) made use of proxies running in two different conduits on a
multi-level secure SCO box. A single process was allowed to talk to
the processes on each side and to mediate access between them. Two
entire IP/OSI stacks ran (one for each of the proxies), in user space,
only allowed to talk to their respective proxy. So the security of
the system depended on reviewing the small piece of conduit code.
(For this reason, it was rather easy for this firewall to be reviewed
and to obtain B2 certification).
MLS serves a different purpose than a firewall- you can regulate the
data flows within a machine, so you can in essence have multiple trust
levels ("labels") on the same box. The downside is that it
inconveniences your user base a bit.
Trusted Solaris is actually relatively cheap. Roughly $200 for Sparc,
I believe.
Mike
--
Michael P. Lyle
Security Architect
Exodus Communications
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
