Thinking about how your security domains relate to each other

November 8, 2008

It may be that you have (or can have) more than one security domain among your machines. If you want to really have multiple security domains, it's important to think about how they related to each other and what this implies for how to manage the machines.

First, a note: a machine can never be in multiple security domains. By definition, you work with security domains instead of single machines because compromising one machine in a security domain eventually leads to compromising all of them (assuming that your attacker knows what they are doing). So if you have multiple security domains and you put a machine into two of them at once, what you have just done is merge the security domains through this machine.

This leads to the most important and basic principle, which is that security can only flow one way. If there is any relationship between security domains at all, they can never be equal; instead, one is the higher-security domain and one is the lower-security domain, and the higher security domain has access rights to the lower security domain but not vice versa. (I generally say that security flows out or down from the high security domain.)

Now, when I say 'access rights' I do not mean anything as easily controlled as passwordless access and NFS mounts. If you are taking this seriously, merely logging in to system B from system A means either that both systems are effectively in the same security domain (regardless of what the nominal situation is) or that system A is in a superior security domain. This is because of the consequences of a compromise of system A; an attacker that trojans your ssh program (or your kernel or whatever) on system A has just gotten access to system B through your actions. (Been there. Had it happen to me. Not fun. A lot of passwords got changed in a hurry.)

(It follows that sysadmin workstations are basically at the top of the security domain pyramid, especially if you theoretically have several completely independent security domains. If you are paranoid, this has significant implications for things like how they can be set up and how you back them up.)

If you need to cross a security domain without having security flow between the two, you need to firewall what the 'superior' domain can do to the 'inferior' one. Naturally this limiting has to be imposed by the would-be inferior domain, since the whole point of the firewall is that what would be the inferior domain doesn't want to trust the superior one.

Written on 08 November 2008.
« What the timestamps in Ubuntu kernel messages mean
The history of Unix *dump programs »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sat Nov 8 00:18:25 2008
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.