OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archives: Re: The Future of Security

Re: The Future of Security

Subject: Re: The Future of Security
From: Randy Witlicki (Randy.Witlickivalley.net)
Date: Mon Dec 06 1999 - 12:33:54 CST

  David wrote:
>At 04:54 PM 12/2/99 -0600, Don Helms wrote:
>
>>Yes, but as we've seen in the medical arena, you can toast a guy
>>if you have access. I've seen actual medical equipment designed
>>by the manufacture to network with zero security---on purpose.
>>We did implement it at the physical level, by the way.
>
>>So, if you network your toaster, you may be able to tell if it's
>>turned off. But what about someone else turning it on? If I don't
>>firewall my toaster some yahoo will hack in and burn my house down?
>
>>To many times, it's the simple stuff that folks forget to lock down.
>
>Having seen the ISS Scanner shut down a cookie factory for a whole shift
>($50k worth of cookies...) using ICMP redirects, I can relate to this - I
>can see it now - come home to find my fridge defrosting because some nitwit
>gave it a crappy IP stack... Then what bothers me even more is that these
>Java-based gizmos want to work across my house wiring. So once I get all
>my appliances running that, now I need a firewall for my exterior
>electrical sockets or some kid will plug a gizmo into the outside of my
>house and have the kitchen looking like Mickey and the brooms in the
>Sorcerer's Apprentice...
>
  Well, in *theory* at least, things like the Jini initiative
are trying to do what Marcus has ranted about over the past
few years - Throwing out all the current bad practices which
emphasize perimeter security and rebuilding our protocols and
so on at the individual host level.
  Of course, we have to make sure the design is correct and that
we implement it correctly, but what else is new ?

  See some stuff included below from Sun's Jini doc. found at:
     http://www.sun.com/jini/specs/jini-spec.html
  
   - Randy
 -

AR.2.1.3 Java Remote Method Invocation (RMI)

Communication between services can be accomplished using Java Remote
Method Invocation (RMI). The infrastructure to support communication
between services is not itself a service that is discovered and used
but is, rather, a part of the Jini technology infrastructure. RMI
provides mechanisms to find, activate, and garbage collect object groups.

Fundamentally, RMI is a Java programming language-enabled extension
to traditional remote procedure call mechanisms. RMI allows not only
data to be passed from object to object around the network but full
objects, including code. Much of the simplicity of the Jini system is
enabled by this ability to move code around the network in a form that
is encapsulated as an object.

AR.2.1.4 Security

The design of the security model for Jini technology is built on the
twin notions of a principal and an access control list. Jini services
are accessed on behalf of some entity--the principal-- which generally
traces back to a particular user of the system. Services themselves
may request access to other services based on the identity of the
object that implements the service. Whether access to a service is
allowed depends on the contents of an access control list that is
associated with the object.

 -

This archive was generated by hypermail 2b27 : Mon Dec 06 1999 - 20:24:42 CST