Firewall Wizards mailing list archives

Re: Firewall Primitives

From: mag () bunuel tii matav hu (Magosányi Árpád)
Date: Tue, 5 Nov 2002 17:42:33 +0000

A levelezÅ‘m azt hiszi, hogy Victoria of Borg a kÃ¶vetkezÅ‘eket Ãrta:

A firewall needs to do more than just Keep The Bad Guys Out.  It also
needs to make sure my own users are not trying to be bad guys too. And


And at least in an intranet environment the firewall also acts as an MDIA
component of the IT infrastructure (see the Red book).

'M' - Mandatory Access Control enforcement. The firewall helps to implement
        the organisational flow control rules.
'D' - Discretionary Access Control enforcement. The firewall enables
        -on the discretion of owner of the system protected, within the
        organisational flow control rules- some information/control
        flows.
'I' - Identification & Authentication & Authorization. The firewall enforces the I&A&A
        requirements of the organisation when these functions of the protected
        system are not adequate (and for deepening granularity of its 'D' function).
'A' - Audit. The firewalls are the natural choice for acting as an E component
        of an IDS, and forming the backbone of the log transport system.
        (It was amazingly easy to put up a central event analyzer using syslog-ng,
        postgresql (or mysql if you better like that), festival (!), and
        some short python and SQL scripts. The system uses Artificial
        Ignorance for minimizing the frequency of events the operator should
        follow, and sql queries to generate trend information.)

This is why, IMHO of course, the abstract concept of "firewall" is in
reality a group of machines in most places.  A packet-filtering box
called a 'firewall', perhaps a connection-oriented 'firewall', one or
several, 'application-level gateways' (proxies, by most people's
naming), and sneaky QoS configs on the router(s). All of which serves as


And the servers for central management, configuration management,
authentication infrastructure, event analysis. (and the honeypots to keep
the operational staff happy:)

an enforcement mechanism for the written policy.


You can never overemphasize the last two words.

-- 
GNU GPL: csak tiszta forrÃ¡sbÃ³l
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Firewall Primitives Cat Okita (Nov 01)
- Message not available
  - Re: Firewall Primitives Marcus J. Ranum (Nov 04)
    - Re: Firewall Primitives George Capehart (Nov 04)
    - Re: Firewall Primitives Victoria of Borg (Nov 05)
    - Re: Firewall Primitives Magosányi Árpád (Nov 05)
    - Re: Firewall Primitives Crispin Cowan (Nov 05)
    - Re: Firewall Primitives George Capehart (Nov 05)
    - Re: Firewall Primitives Crispin Cowan (Nov 06)
    - Re: Firewall Primitives Marcus J. Ranum (Nov 06)
    - Re: Firewall Primitives Devdas Bhagat (Nov 06)
    - Re: Firewall Primitives Marcus J. Ranum (Nov 06)
    - Re: Firewall Primitives Devdas Bhagat (Nov 07)
    - Re: Firewall Primitives Adam Shostack (Nov 09)
    - BS claims (was Re: Firewall Primitives) Marcus J. Ranum (Nov 09)
    - Re: Firewall Primitives Mikael Olsson (Nov 09)

(Thread continues...)