[4446] in WWW Security List Archive
Re: Trusted Solaris and MLS
daemon@ATHENA.MIT.EDU (dillow@cs.utk.edu)
Fri Feb 14 18:31:27 1997
From: dillow@cs.utk.edu
Date: Fri, 14 Feb 1997 15:56:07 -0500
To: Nymblewyke@compuserve.com, www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
From: Jim Frank <Nymblewyke@compuserve.com>
> Does anyone out there have information on trusted solaris and multi level
> security .
I don't have any info on firewalling on a Trusted Solaris machine, per se,
but I happen to build firewalls, and I also happen to work on TS machines,
along with HP CMW and DEC MLS+. I'm currently working on getting ssh to
work properly on HP's -- I know you are in for some interesting times....
> I am told that there are machines and that they are approved for multi
> level security.
As for certifying them for actual use, I'm not sure about the acredidation
issues, but I am sure that you will not be able to hook to the Internet or
outside lines if this involves classified data on any of the systems. Of
course, if this is for the governement, you probably knew that, or know if
I am wrong. If this is commercial, it is up to the company's policy.
> Am I just paranoid or is there a problem with different levels of security
> in the same machine?
You cannot be too paranoid when it comes to security. It is possible to
implement a firewall that is secure across Sensitivity Labels, as long
as one is careful. For starters, the only access to the firewall itself
should be through the console, and the OS should stripped down.
I haven't looked for a commercial offering, but one could do the job
themselves, if they are knowledgable in firewall design. One must also
have experience implementing the MAC policy and protections. If you are
not comfortable with your experience in these areas, I should be able to
put you in contact with someone who can help.
A good start would be TIS's Firewall Toolkit, and I would suggest reading
all the information you can get on MaxSix and TSIX(RE). You will be using
these for everything.
If you'd like to talk about this further, let's take it to private email.
David Dillow
Sword & Shield Computer Services
dillow@cs.utk.edu
