The flood-gate principle - a hybrid approach to a high security solution

The classical role of a firewall consists in protec ting a computer network against attacks from the outside world, espe cially the Internet. Firewalls are often expensive, hard to configure and they are comprehended only by experts. Sometimes the level of security is t oo high to use a firewall, and information flow has not to be "online". Here we prop ose to use "flood- gates" as described in the following. They provide a modern , simple and easy- to-understand method to secure a network on a very high se curity level. E- mails, plain files and all sorts of electronic data can be exchanged over such flood-gates without possibly compromising the "own" network by the most dangerous classes of attacks. Information passes through the flood-gates even though there is not a single moment of a physically conne ction between the own network and the outside world. The disadvantage of service restrictions can be overcome by a multilevel security approach. As a pr actical example a concrete "real-life" implementation of the flood-gate principle in the financial sector is described in detail in this paper.

[1]  Bart Preneel,et al.  Computer Security and Industrial Cryptography: State of the Art and Evolution: ESAT Course, Leuven, Belgium, May 21-23, 1991 , 1991 .

[2]  Jeffrey C. Mogul,et al.  Simple and Flexible Datagram Access Controls for UNIX-based Gateways , 1999 .

[3]  Simon Cooper,et al.  Considerations for Web Transaction Security , 1997, RFC.

[4]  JOHN P. L. WOODWARD Applications for multilevel secure operating systems , 1979, 1979 International Workshop on Managing Requirements Knowledge (MARK).

[5]  David A. Curry UNIX System Security: A Guide for Users and System Administrators , 1992 .

[6]  Paul A. Karger,et al.  Limiting the Damage Potential of Discretionary Trojan Horses , 1987, 1987 IEEE Symposium on Security and Privacy.

[7]  Fred Cohen,et al.  Computer viruses—theory and experiments , 1990 .

[8]  Ben McClure,et al.  Abstract of recent articles and literature: Should only the paranoid get E-mail protection? , 1997 .

[9]  Dorothy E. Denning Cryptographic Checksums for Multilevel Database Security , 1984, 1984 IEEE Symposium on Security and Privacy.

[10]  Jon Postel,et al.  Internet Protocol , 1981, RFC.

[11]  Ben McClure,et al.  Security gets easier, cheaper , 1997 .

[12]  T. A. Parker,et al.  A secure European system for applications in a multi-vendor environment (the SESAME project) , 1993 .

[13]  Ben McClure,et al.  Network security: safety is next , 1997 .

[14]  Donald E. Eastlake Physical Link Security Type of Service , 1993, RFC.

[15]  Carl E. Landwehr The Best Available Technologies for Computer Security , 1983, Computer.

[16]  Heribert Peuckert,et al.  Datenschutz und Datensicherheit aus technischer Sicht , 1994 .

[17]  Douglas Comer Internetworking With TCP/IP Principles , 1988 .

[18]  Morrie Gasser,et al.  Building a Secure Computer System , 1988 .

[19]  Douglas E. Comer,et al.  Internetworking with TCP/IP - Principles, Protocols, and Architectures, Fourth Edition , 1988 .

[20]  Joel M. Halpern,et al.  Classical IP and ARP over ATM , 1998, RFC.

[21]  Douglas Comer,et al.  Internetworking with TCP/IP , 1988 .