On Tue, 22 Aug 2000, Chris Calabrese wrote:
Hi,
thanks for your reply.
> However, the U.S. Controlled Access Protection Profile and
> Labeled Security Protection Profile (which replace the old
> C2 and B1 designations of the Trusted System Evaluation
> Criteria) require that mechanisms that are part of a
> system's Trusted Computing Base shut down if they can't log,
Exactly. Either an application or the kernel itself must be
shut-down if is not possible to log security-related messages.
But, as we know, this lead to DoS. A typical scenario:
* there is a single path through the network to reach the syslogd
or there is, at least, an hop where the traffic is confined to
pass through
* an attacker start to overload this intermediate link
Chosing the opportune/right intermediate link, the attacker can cause
ideally a twofold DoS. Both for the logging service and for remote host
that is trying to log some security-related message. Infact some logging
service simingly have a singlelink.
(obviosuly... "in many cases, attackers can achive their ends merely by
ensuring that important information does not reach the destination, even
if they cannot decrypt it, forge it, or alter it.")
The cautionary mesure required by the U.S. Controlled Access Protection
Profile and Labeled Security Protection Profile can help in many
scenarios. But not all... Which is preferable? Availability of the service
or security?
If I must make some documents available in a network environment (eg.
through a web server) I wish I have a service permanently up.
If there is the risk that this service can be shut-down I can use more
than one host and a DNS in Round Robin...
But the DoS is not avoided completely; probabily there are still shared
portion of the path or a little set of non shared elements that can be
overloaded or attacked.
Blocking if the output queue is full can give enough time to an attacker
to complete his "work".
Yes, is safer to shut-down, unlink from a network and unplug an host (I
agree with this) but to have a service permanently available is useful :-)
alfonso
