Re: For the AdaOS folks

[Nick Roberts <nick.roberts@acm.org>]

"Warren W. Gay VE3WWG" <ve3wwg@NoSpam.cogeco.ca> wrote:

> Ok, but how does that eliminate the concept of a firewall? It does
> precisely this (deny all access) by default, allowing the minimum
> necessary permission. Under perfect circumstances, I think you are saying
> that a firewall is redundant. But in practice, it'll never be redundant.

No, in practice it really will be redundant.

> > In practice, that means that, for example, when a user creates a new
> > file (and saves it), the new file is, by default, inaccessible to (and
> > invisible to) all other unprivileged users.
> 
> I am not disagreeing with this - and never have.  But are you going to
> trust 100s/1000s of CPUs to all be properly locked down to the outside
> world?

Yes.

> These are merely different grades of access controls. And as such I am not
> against them (and never have been). It could be the best security ever
> invented, but if I have to administer 1000s of these, I will not trust
> them all to be entirely correct. Worse, other people may administer some
> of them - firewall helps to enforce the company position on access policy!

No, the firewall is worse. The finer grades of access control provide better
and more comprehensive security than a firewall can. Tools can provide the
necessary administrative control, as well as mandatory security controls.

> > The necessity for a separate firewall seems to be obviated by this
> > arrangement. The whole system is acting as a big firewall in itself. In
> > particular, AdaOS will not have any holes or back doors in its security.
> > The security mechanisms will be hermetically sealed. (This may be
> > somewhat in contrast to other operating systems.)
> 
> Its not quite as simple as that.

Yes it is, actually.

> For example, if you were to support the ftp service ...

Obviously we will /not/ support the FTP service, except for anonymous login.
For password-protected file transfer, we will support only SFTP (or perhaps
something that supersedes SFTP).

> The OS itself is _not_ the complete answer to security (this is where
> firewalls help).

I think you are basing that judgement on poor existing operating systems,
and are perhaps therefore unable to comprehend that an OS can really be
watertight.

> Even though ssh2 might provide reasonable security today, any hardened
> "sealed" AdaOS may still be vulnerable to developed ssh2 weaknesses in the
> future.

But I am sure that a firewall would provide no greater protection from such
weaknesses than the OS.

> If you have only 1 windows machine, or 1 Mac or Linux (or whatever with
> ftp or other weak clients), then you are wide open for attack.

Not true. By definition, an AdaOS network will comprise either machines that
are running AdaOS or machines which can communicate with AdaOS only through
the secure IP boundary. If an AdaOS machine is compromised, it could leave
the whole AdaOS network compromised, yes. If one of the other machines is
compromised, this will have no effect within the AdaOS network.

> So yes, in a pie-in-the-sky world, where all machines use only the safest
> of protocols, and are perfectly secure, you might stand a chance of that
> working without an outer firewall.

Warren, with respect, you sound like a horseman who, upon seeing a motor car
for the first time in his life, simply cannot understand that there isn't
anywhere for the saddle to go.

AdaOS /will/ be watertight, and that /will/ obviate the need for a firewall.

-- 
Nick Roberts