From: "Warren W. Gay VE3WWG" <ve3wwg@NoSpam.cogeco.ca>
Subject: Re: For the AdaOS folks
Date: Tue, 04 Jan 2005 23:37:53 -0500
Date: 2005-01-04T23:37:53-05:00 [thread overview]
Message-ID: <A9KCd.15445$Y_4.1477573@read2.cgocable.net> (raw)
In-Reply-To: <gemini.i9thgm00phazo00dc.nick.roberts@acm.org>
Nick Roberts wrote:
>"Warren W. Gay VE3WWG" <ve3wwg@NoSPAM.cogeco.ca> wrote:
>>Dmitry A. Kazakov wrote:
>>>But the only need in firewall is the policy of trusting behind it.
>>
>>That is all I need to keep you from messing with my files ;-)
>
> I think I side with Dmitry on this one.
Thankfully, my firewall protects me from you as well ;-)
> When reading a variety of authoritative documents, papers, and books on the
> subject of computer security, one of the basic principles they all espouse
> is that of 'minimum necessary privilege'. In other words, access is denied
> by default, of every object (file, database table, etc.) to every subject
> (person, program). Access is granted between an object and a subject only
> when these is a specific need.
Ok, but how does that eliminate the concept of a firewall? It does
precisely this (deny all access) by default, allowing the minimum
necessary permission. Under perfect circumstances, I think you are
saying that a firewall is redundant. But in practice, it'll never
be redundant.
> Okay, I think this principle needs to be taken as a guideline, rather than a
> strict rule. It's not likely to be practical on a very fine-grained, highly
> dynamic level. Nevertheless, I intend to make the security mechanisms
> capable of supporting this principle, to a reasonable degree, and to make
> the default security policies implement it.
>
> In practice, that means that, for example, when a user creates a new file
> (and saves it), the new file is, by default, inaccessible to (and invisible
> to) all other unprivileged users.
I am not disagreeing with this - and never have. But are you going
to trust 100s/1000s of CPUs to all be properly locked down to the
outside world?
> When somebody uses an internet service in AdaOS, they do so with a certain
> 'role' of a certain user. This restricts their privileges (to that role of
> that user). If that role is not permitted to access a file, the user of the
> internet service is not, either. Of course, typically, things will be
> arranged to permit minimum necessary access by internet services. For
> example, a web server will be permitted to access the files (and other data)
> which make up a web site, but nothing else.
These are merely different grades of access controls. And as such
I am not against them (and never have been). It could be the best
security ever invented, but if I have to administer 1000s of these,
I will not trust them all to be entirely correct. Worse, other
people may administer some of them - firewall helps to enforce
the company position on access policy!
> The necessity for a separate firewall seems to be obviated by this
> arrangement. The whole system is acting as a big firewall in itself. In
> particular, AdaOS will not have any holes or back doors in its security. The
> security mechanisms will be hermetically sealed. (This may be somewhat in
> contrast to other operating systems.)
Its not quite as simple as that. For example, if you were to
support the ftp service, it doesn't matter how secure
the AdaOS is. The first time someone uses ftp to login
to a server, that account is potentially compromised!
Userid and password information is sniffed by every
machine that has a LAN card listening to the same wire.
The OS itself is _not_ the complete answer to security
(this is where firewalls help).
Even though ssh2 might provide reasonable security today,
any hardened "sealed" AdaOS may still be vulnerable to
developed ssh2 weaknesses in the future.
If you have only 1 windows machine, or 1 Mac or Linux (or
whatever with ftp or other weak clients), then you are
wide open for attack.
So yes, in a pie-in-the-sky world, where all machines use
only the safest of protocols, and are perfectly secure,
you might stand a chance of that working without an outer
firewall.
Would I trust my enterprise to the net this way? Would the
US military trust their secrets without a firewall on their
network? No way. They'll run a firewall anyway, just so that
people can sleep at night. I'll continue to do the same,
thank-you very much.
Because for all I know, this may be one elabourite phishing
scam, trying to get me to drop my firewall ;-)
--
Warren W. Gay VE3WWG
http://home.cogeco.ca/~ve3wwg
next prev parent reply other threads:[~2005-01-05 4:37 UTC|newest]
Thread overview: 80+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-12-27 5:09 For the AdaOS folks Wes Groleau
2004-12-27 10:56 ` Florian Weimer
2004-12-27 12:50 ` Georg Bauhaus
2004-12-27 13:12 ` Florian Weimer
2004-12-28 1:18 ` Wes Groleau
2004-12-27 13:46 ` Adrien Plisson
2004-12-27 16:28 ` Georg Bauhaus
2004-12-28 6:19 ` Microkernels & Ada (Was for the AdaOS folks) Warren W. Gay VE3WWG
2004-12-28 12:02 ` Adrien Plisson
2004-12-28 15:28 ` Warren W. Gay VE3WWG
2004-12-30 1:19 ` For the AdaOS folks Nick Roberts
2004-12-30 13:58 ` Warren W. Gay VE3WWG
2004-12-30 15:27 ` Dmitry A. Kazakov
2004-12-30 16:30 ` Warren W. Gay VE3WWG
[not found] ` <otb8t09dkjh54e1k5s5ccn23ggkqk6ndui@4ax.com>
2004-12-30 19:06 ` OT: Mach Ports (For the AdaOS folks) Warren W. Gay VE3WWG
2004-12-31 10:03 ` For the AdaOS folks Dmitry A. Kazakov
2004-12-31 11:30 ` Warren W. Gay VE3WWG
2004-12-31 12:31 ` Dmitry A. Kazakov
2004-12-31 16:24 ` Warren W. Gay VE3WWG
2004-12-31 17:57 ` Marven Lee
2004-12-31 18:40 ` Warren W. Gay VE3WWG
2004-12-31 19:22 ` Warren W. Gay VE3WWG
2005-01-02 15:09 ` Marven Lee
2005-01-02 20:06 ` Luke A. Guest
2005-01-03 3:13 ` Warren W. Gay VE3WWG
2005-01-03 6:40 ` Luke A. Guest
2005-01-03 10:30 ` Marven Lee
2005-01-03 15:52 ` Warren W. Gay VE3WWG
2005-01-03 16:48 ` Ad Buijsen
2005-01-03 18:49 ` Warren W. Gay VE3WWG
2005-01-03 13:43 ` Marven Lee
2005-01-04 23:36 ` Nick Roberts
2005-01-03 16:22 ` Warren W. Gay VE3WWG
2005-01-04 23:16 ` Nick Roberts
2005-01-05 3:48 ` Warren W. Gay VE3WWG
2005-01-05 13:14 ` Nick Roberts
2005-01-01 12:53 ` Dmitry A. Kazakov
2005-01-02 0:31 ` Warren W. Gay VE3WWG
2005-01-02 11:50 ` Dmitry A. Kazakov
2005-01-02 22:04 ` Warren W. Gay VE3WWG
2005-01-03 10:30 ` Dmitry A. Kazakov
2005-01-03 16:36 ` Warren W. Gay VE3WWG
2005-01-03 17:05 ` Dmitry A. Kazakov
2005-01-03 19:01 ` Warren W. Gay VE3WWG
2005-01-03 19:55 ` Dmitry A. Kazakov
2005-01-03 20:44 ` Warren W. Gay VE3WWG
2005-01-04 0:02 ` Randy Brukardt
2005-01-04 17:44 ` Warren W. Gay VE3WWG
2005-01-04 20:14 ` Nick Roberts
2005-01-04 9:59 ` Dmitry A. Kazakov
2005-01-04 18:00 ` Warren W. Gay VE3WWG
2005-01-04 19:07 ` Dmitry A. Kazakov
2005-01-04 19:57 ` Warren W. Gay VE3WWG
2005-01-05 0:02 ` Nick Roberts
2005-01-05 4:37 ` Warren W. Gay VE3WWG [this message]
2005-01-05 18:54 ` Nick Roberts
2005-01-05 20:04 ` Warren W. Gay VE3WWG
2005-01-06 0:32 ` Nick Roberts
2005-01-06 1:29 ` Wes Groleau
2005-01-06 11:03 ` Dmitry A. Kazakov
2005-01-05 9:39 ` Dmitry A. Kazakov
2005-01-05 11:20 ` Warren W. Gay VE3WWG
2005-01-05 12:18 ` Dmitry A. Kazakov
2005-01-05 14:39 ` Warren W. Gay VE3WWG
2005-01-05 17:16 ` zest_fien
2005-01-05 19:44 ` Larry Kilgallen
2005-01-04 20:09 ` Nick Roberts
2005-01-05 10:19 ` Dmitry A. Kazakov
2005-01-05 18:33 ` Nick Roberts
2005-01-05 20:15 ` Dmitry A. Kazakov
2004-12-31 18:47 ` Nick Roberts
2004-12-31 20:36 ` Warren W. Gay VE3WWG
2005-01-04 18:22 ` Nick Roberts
2005-01-05 5:12 ` Warren W. Gay VE3WWG
2005-01-05 18:02 ` Nick Roberts
2005-01-05 19:55 ` Warren W. Gay VE3WWG
2005-01-06 0:57 ` Nick Roberts
2005-01-06 2:34 ` Warren W. Gay VE3WWG
-- strict thread matches above, loose matches on Subject: below --
2005-01-05 12:14 Mike Brenner
2005-01-05 18:04 ` Warren W. Gay VE3WWG
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox