From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham autolearn_force=no version=3.4.4 X-Google-Thread: 103376,b95a522100671708 X-Google-Attributes: gid103376,public X-Google-Language: ENGLISH,ASCII-7-bit Path: g2news1.google.com!news3.google.com!newshub.sdsu.edu!border1.nntp.dca.giganews.com!nntp.giganews.com!meganewsservers.com!feeder2.on.meganewsservers.com!feed.cgocable.net!read2.cgocable.net.POSTED!53ab2750!not-for-mail From: "Warren W. Gay VE3WWG" User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax) X-Accept-Language: en-us, en MIME-Version: 1.0 Newsgroups: comp.lang.ada Subject: Re: For the AdaOS folks References: <1vemlj8wqr9ea$.qyecszhsmtqa$.dlg@40tude.net> <52fBd.42256$nV.1324414@news20.bellglobal.com> <_gHBd.14666$0y4.10314@read1.cgocable.net> <8rz51zshvp8k$.gvir0kpiedzk.dlg@40tude.net> <1cza5d5x7snmd.lr7wfm9fdsvd.dlg@40tude.net> <1hwsfqc0hx63i$.1dl0hkengaf6i$.dlg@40tude.net> <1klgtuv6sbypt.1wlc9u1ixz7ua$.dlg@40tude.net> <24hf82mgtexu$.c07xlxejxm1c$.dlg@40tude.net> In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Message-ID: Date: Tue, 04 Jan 2005 23:37:53 -0500 NNTP-Posting-Host: 24.150.168.167 X-Complaints-To: abuse@cogeco.ca X-Trace: read2.cgocable.net 1104899808 24.150.168.167 (Tue, 04 Jan 2005 23:36:48 EST) NNTP-Posting-Date: Tue, 04 Jan 2005 23:36:48 EST Organization: Cogeco Cable Xref: g2news1.google.com comp.lang.ada:7458 Date: 2005-01-04T23:37:53-05:00 List-Id: Nick Roberts wrote: >"Warren W. Gay VE3WWG" wrote: >>Dmitry A. Kazakov wrote: >>>But the only need in firewall is the policy of trusting behind it. >> >>That is all I need to keep you from messing with my files ;-) > > I think I side with Dmitry on this one. Thankfully, my firewall protects me from you as well ;-) > When reading a variety of authoritative documents, papers, and books on the > subject of computer security, one of the basic principles they all espouse > is that of 'minimum necessary privilege'. In other words, access is denied > by default, of every object (file, database table, etc.) to every subject > (person, program). Access is granted between an object and a subject only > when these is a specific need. Ok, but how does that eliminate the concept of a firewall? It does precisely this (deny all access) by default, allowing the minimum necessary permission. Under perfect circumstances, I think you are saying that a firewall is redundant. But in practice, it'll never be redundant. > Okay, I think this principle needs to be taken as a guideline, rather than a > strict rule. It's not likely to be practical on a very fine-grained, highly > dynamic level. Nevertheless, I intend to make the security mechanisms > capable of supporting this principle, to a reasonable degree, and to make > the default security policies implement it. > > In practice, that means that, for example, when a user creates a new file > (and saves it), the new file is, by default, inaccessible to (and invisible > to) all other unprivileged users. I am not disagreeing with this - and never have. But are you going to trust 100s/1000s of CPUs to all be properly locked down to the outside world? > When somebody uses an internet service in AdaOS, they do so with a certain > 'role' of a certain user. This restricts their privileges (to that role of > that user). If that role is not permitted to access a file, the user of the > internet service is not, either. Of course, typically, things will be > arranged to permit minimum necessary access by internet services. For > example, a web server will be permitted to access the files (and other data) > which make up a web site, but nothing else. These are merely different grades of access controls. And as such I am not against them (and never have been). It could be the best security ever invented, but if I have to administer 1000s of these, I will not trust them all to be entirely correct. Worse, other people may administer some of them - firewall helps to enforce the company position on access policy! > The necessity for a separate firewall seems to be obviated by this > arrangement. The whole system is acting as a big firewall in itself. In > particular, AdaOS will not have any holes or back doors in its security. The > security mechanisms will be hermetically sealed. (This may be somewhat in > contrast to other operating systems.) Its not quite as simple as that. For example, if you were to support the ftp service, it doesn't matter how secure the AdaOS is. The first time someone uses ftp to login to a server, that account is potentially compromised! Userid and password information is sniffed by every machine that has a LAN card listening to the same wire. The OS itself is _not_ the complete answer to security (this is where firewalls help). Even though ssh2 might provide reasonable security today, any hardened "sealed" AdaOS may still be vulnerable to developed ssh2 weaknesses in the future. If you have only 1 windows machine, or 1 Mac or Linux (or whatever with ftp or other weak clients), then you are wide open for attack. So yes, in a pie-in-the-sky world, where all machines use only the safest of protocols, and are perfectly secure, you might stand a chance of that working without an outer firewall. Would I trust my enterprise to the net this way? Would the US military trust their secrets without a firewall on their network? No way. They'll run a firewall anyway, just so that people can sleep at night. I'll continue to do the same, thank-you very much. Because for all I know, this may be one elabourite phishing scam, trying to get me to drop my firewall ;-) -- Warren W. Gay VE3WWG http://home.cogeco.ca/~ve3wwg