[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    Re: Securing Web Servers
From:       Rick Smith <smith () sctc ! com>
Date:       1997-01-28 11:01:04
[Download RAW message or body]

bsterling@hotmail.com (Brad Sterling) wrote:

:It seems possible to protect web servers by preventing any actions
:that are not specifically allowed (Cheswick & Belovin).  However, this
:requires technology which is not currently being employed.  It appears
:that www.memco.com provides a solution to this problem by dictating
:exactly what actions are allowed even if the superuser is performing
:the actions.  Is this a correct interpretation?

The term for what you're looking for is "mandatory protection." I did
a paper on using it to protect Internet servers at the IEEE Annual
Computer Security Applications Conference last December in San Diego.
You can get variants of mandatory protection in several commercial
firewalls, including Sidewinder (www.sctc.com, www.sidewinder.com).

Some use chroot() to do it (not very strong, but better than nothing)
and others, like us, use variants of NCSC orange book technology.  In
theory, memco's approach should work, too. Has anyone seen reports of
turnkey Internet server packages that use it? I mostly saw technology
advertised on their web page, not problem solutions.

Rick.
smith@sctc.com        secure computing corporation

[prev in list] [next in list] [prev in thread] [next in thread]