[cap-talk] Bill Frantz HP challenge (was: Re: [Confused deputies in hybrid systems (was: Loss of control))

Jed Donnelley capability at webstart.com
Wed Feb 6 12:48:23 EST 2008 

At 02:46 PM 2/5/2008, Karp, Alan H wrote:
>Jed wrote:
> >
> > I think the difficulty with this situation is that the only
> > place there is information about where this communication is
> > coming from is in the firewall.  To deal with this I suggest
> > a forwarding service.  The main service is simply not available
> > for access directly from outside the firewall.  It only accepts
> > "outside" requests from the forwarding service.  The forwarding
> > service does the delegation from an inside identity to the
> > corresponding "outside" identity.  When this request gets
> > forwarded to the inside server, it has the information that
> > it needs to enforce it's policy (inside or outside).
> >
>Or you could just VPN in and be logically inside the firewall.

I think the issue (correct me if I'm wrong BillF) is that
Bill wants (his policy says) that connections from outside
the corporate network should be refused for these sensitive
objects.  I think by that he means that if you VPN in then
your connection should be refused - right Bill?  The difficulty
that I see is distinguishing VPN from other "inside" connections.

What I suggest above is that the server refuse (e.g.
an internal or local "firewall" in front of this service
blocking connections from the VPN addresses) connections
from such VPN'ed connections.  This means that if you
use your capability directly through the VPN the connection
will be blocked.  Even if you use an "inside" capability
that should be allowed and try to access the server,
it will be blocked, because all connections coming
through the VPN are blocked.

However, there is a service set up to forward "outside"
connections to the service.  At that point if the capability
is translated into an "outside" capability, it will be
accepted for access to appropriate objects, but not for
those with the policy that denies such access.

The issue with this approach is 'just' getting all
outside access capabilities to be so labeled before
they hit the server.  Once they hit the server, it
can distinguish those which should be blocked
(those that access the sensitive data) from those
which should be allowed through (not sensitive
data).  In any case it can distinguish inside from
outside by the "label" on the capability.

--Jed  http://www.webstart.com/jed-signature.html

More information about the cap-talk mailing list