I've been reading the current security threads and I would like to offer
my thoughts. They are high level and not technical at all... but they
apply to all forms of security, not just computer security.
There are five points to security: (the so called 5 A's)
Access
Availability
Authentication/Authorization
Auditing
Accuracy
When the DOD got together and wrote the rainbow books (specifically the
orange book) they weren't computer scientists. Hell, it would be a
stretch to say they were even good at computers at all. But they were
good at security, because they have been doing it for a long time. So
they took what they knew (the 5 A's) and applied it to computers.
When you secure a website or put a security guard at the front door of a
bank or something you are doing the same thing:
Access: The guard is there to let people in. You want people to go into
the bank. You want people to access your website. Something that is
secure must let the people in that need to be let in.
Availability: The site must be available to people to access. This means
that there is always a guard at the door to let you in. When one goes on
break another one takes over. There is always someone there. In the
computer world this is having HA systems.
Authentication/Authorization: When need be the guard is going to look at
your ID. He is then going to determine that it is you (see Accuracy) and
that you are authorized to enter. The same thing applies to websites or
servers. You must be able to authenticate people and restrict them to the
things they are entitled to access.
Auditing: You must have a log. When the security guard looks at your
badge a record is made of when you enter and leave. The same holds true
for servers or applications.
Accuracy: There must be some way that you can't be faked out. You need
to have accurate logs and accurate means of authentication. This means
don't hire a dumbass security guard, or install flaky software.
Anyway I think about these things when I evaluate the security of new
products most flake out in the whole auditing portion (which is why a PIX
is _not_ a security device).
Just random thoughts... hope this helps.
-e
_____________________________________________________________________________
<majcher> icky is like a shadowy hit man, that nobody ever sees, and can only
contact through some strange process.
_______________________________________________
Bits mailing list
[EMAIL PROTECTED]
http://www.sugoi.org/mailman/listinfo/bits
