Chris Blask wrote:
> At 02:14 PM 22/08/2006, Patrick M. Hausen wrote:
>> On Tue, Aug 22, 2006 at 01:28:13PM -0400, Chris Blask wrote:
>>> o "You don't know what you don't know."

>> Which leads directly to Marcus' well known rant about positive
>> security models.

> Indeed. Problem is, I don't believe in positive security models in the real world (with the theoretical exceptions of some military or SCADA networks that actually don't connect to the PSTN [still waiting to see one]).

I beg to differ. Even crappy packet-based firewalls are built on a
positive security model: block all ports except 22, 25, 80, and 443.
That's a positive security model. Perhaps not at a granularity that
satisfies MJR, but it assuredly is a positive security model, and it is
common as dirt.

What's going on is that network behavior up to layer 4 is very regular,
and thus can be regulated by a positive security model. Network traffic
from layer 5-7 (and 8 is so irregular that positive security models
break down, and so vendors resort to nasty kludges like negative
security models.

> If we start now we can build a ground-up secure network just in time for it to be completely obsolete and we all retire in frustration..

The trick to using positive security models is to find an element of
system behavior that is sufficiently regular that you can feasibly
manage the positive security model. That is what is going on in my
AppArmor product, which uses a positive
security model based on file accesses represented by pathnames. SELinux
uses a positive security model based on inodes and extended attributes,
and has a consequent manageability problem. Many other host intrusion
prevention systems use negative security models, and have consequent
security problems.


Crispin Cowan, Ph.D.
Director of Software Engineering, Novell
Hack: adroit engineering solution to an unanticipated problem
Hacker: one who is adroit at pounding round pegs into square holes

firewall-wizards mailing list