Mikael,
#Now, the tOS idea is to compartmentalize the operating environment so
#that a compromised FTP proxy process won't gain control over the
#firewall kernel or other processes. Fine. Assume that this works.
#Being a C and assembler coder, I don't believe it really does, but
#that's another story. Let's just for the sake of argument assume
#that it actually works.
#Now, assume that said FTP proxy process is compromised and completely
#under the control of an external user. What, pray tell, keeps this
#FTP proxy from connecting to pretty much any port on any host
#behind the firewall?
FYI, another TOS firewall is Cyberguard. It uses the Bell Lapulla (sp?)
model for TOSs so anyone who knows it or helped develope it may want to
jump in on this discussion.
First of all I am not a programmer so I will not be speaking from that
angle. There are some Sidewinder engineers that used to participate in
this list so they may want to comment on this as well if they are
listening.
There are proxies and servers on the Sidewinder firewall.
1. Proxy
A proxy, like the FTP proxy, only checks the contents of the packet.
In the case of FTP it will check the IP header, TCP header, the FTP header,
and the contents of the packet. If the headers or packet contain something
that is not allowed then the connection is dropped. In this scenario you
really can't take over the FTP proxy as far as I can tell. You may be able
to fool it into passing packets to the FTP server on the dmz or internal
network and take over that box. I don't think it is possible to cause the
firewall to actually execute anything that a proxy is checking. The proxy
is only allowed to pass packets along or drop them. You would have to
control the Type Enforcement Admin domain to change the port a proxy
listens on or what type of traffic that proxy can pass or drop. Assuming
Type Enforcement works, of course.
2. Server
Now on the server side I do agree that it is possible to compromise
the FTP, DNS, Telnet, CERN web server, or Sendmail servers on the firewall.
<This is where a Sidewinder engineer could make some good comments> If
there are bugs in the actual Type Enforcement code and you can figure out
how to exploit those bugs then it would be possible to break out of your
Type Enforced domain. If the following is true:
1. All actions, users, and processes have a Type Enforcement.
2. The Type Enforcements of the actions and users or processes must have
rules specified by Type Enforcement on how and who they can interact with.
3. Anything that does not interact in the way specified by the Type
Enforcement code is discarded.
4. An alert is given to the firewall administrator when anything not
allowed is denied.
Then I think that Type Enforcement or an TOS that follows something similar
would work very well as a security measure. The original implementation of
Type Enforcement was on the SNS (Secure Network Server). This was designed
to the A-1 specifications in the Orange book so there was a lot of
theoretical discussion about the value of TOSs and physical checking of the
Type Enforcement code before the NSA started using SNS. There have been a
lot of changes in the way the Type Enforcement code is utilized so there
could have been new bugs that were introduced.
The Type Enforcement code cannot be changed by the Administrator. It
can probably be replaced by trojaned code. One of the interesting thing on
the Sidewinder is that it has two kernels. An operational kernel where all
network code is enabled and an admin kernel where the network code is
disabled. There are certain Type Enforcement domains where I cannot
delete, replace, edit, or change Type Enforcement on the file except in the
admin kernel. The Type Enforcement code cannot be replaced except in the
Admin kernel where there are no network connections. If Type Enforcement
works you would need physical access to the box to get rid of it and if you
have physical access there are better things to do than get rid of Type
Enforcement. If you could break into the Admin kernel after you have
compromised a server (probably DNS or Sendmail would be easiest) then you
could use crontab to boot to the admin kernel, run some scripts to do
things that can only be done in the admin kernel, and then boot back to the
operational kernel.
Regards,
Jeffery Gieser
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
