On Wed, Dec 23, 1998 at 10:21:37PM -0500, Paul D. Robertson wrote:
> That's only because (a) administratively describing and implementing
> security policies for systems with strong trust models is difficult and
> (b) Most places interested in security aren't interested in spending
> *time* to do security as much as they are in spending money.
>
> MLS systems apply quite well to Web servers, DNS servers, mail systems,
> even file servers, *especially* when you want to ensure that an
> administrator doesn't have a MAC for reading the data. I can think of a
> few hundred places where that would be truly useful, I don't think it's a
> case of applicability, more one of ease-of-administration and attitude
> towards real INFOSEC in the general computing community.
Agreed. My point was there are so little off-the-shelf applications..
Unfortunately, all of the trusted operating systems that I know of use a
model that makes administration rather difficult-- the DoD model. It
would be nice to have a system that the average end user could administer;
that with a single command one could create a new label and one could also
easily determine the downgrade/upgrade procedures for trusted information.
Ideally, I picture something that looks like the firewall-1 gui but
describes dataflows within a machine. Something like this kind of
syntax:
mlsbox: /usr/src/apache# /usr/bin/newlabel -n "apache" -c "make install"
mlsbox: /usr/src/apache# echo /usr/bin/runaslabel -n "apache" /usr/local/apache/httpd
>>/etc/rc2.d/S72inetsvc
# get rid of the webserver label at a later date, and all related files
mlsbox: /# /usr/bin/deletelabel -n "apache"
I don't have a problem with a "god user".. Really, 99.9% of my clients are
unconcerned with what the admins can see-- they want to prevent and contain
compromises. With the common trusted-path model, I get the joy of assuming
the administrative role, creating the label, etc, etc, etc. As long as no
network services are running as the "real" root (except possibly one chosen
service for remote access, like ssh).. one's exposure is considerably limited.
Also, I wish someone (like in the GNU Hurd) would relocate more functionality
to user space. The fact that there have been many kernel buffer overflows
found in various operating systems in the IP stack concerns me. A MLS system
does one no good if something running with supervisor privilege does something
stupid...
> I'm not sure it inconveniences your user base unless you have users
> running at multiple levels (then it's a pain to switch levels), it certainly
> inconveniences your administrators though. Of couse, with the right
> trusted path stuff even simple MAC based compartments can really enhance
> the security of a system that has to serve Internet users and/or
> "extranet" services.
As a security consultant, I view userbase a little differently.. the "userbase"
is most often systems administrators. :)
> As far as costs go, fun to play with, not "done", still interesting and
> totally free is a Linux-based system with multiple privacy/security modules:
>
> http://agn-www.informatik.uni-hamburg.de/people/1ott/rsbac
Will check into it; may even possibly contribute as this is something that
could benefit many of my clients and be "cool" on my network. :)
Mike
> -----------------------------------------------------------------------------
> Paul D. Robertson "My statements in this message are personal opinions
> [EMAIL PROTECTED] which may have no basis whatsoever in fact."
> PSB#9280
--
Michael P. Lyle
Security Architect
Exodus Communications
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
