|
In information security, a guard is a device or system for allowing computers on otherwise separate networks to communicate, subject to configured constraints. In many respects a guard is like a firewall and guards may have similar functionality to a gateway. Whereas a firewall is designed to limit traffic to certain services, a guard aims to control the information exchange that the network communication is supporting at the business level. Further, unlike a firewall a guard provides assurance that it is effective in providing this control even under attack and failure conditions. A guard will typically sit between a protected network and an external network, and ensure the protected network is safe from threats posed by the external network and from leaks of sensitive information to the external network. A guard is usually dual-homed, though guards can connect more than two networks, and acts as a full application layer proxy, engaging in separate communications on each interface. A guard will pass only the business information carried by the protocols from one network to another, and then only if the information passes configured checks which provide the required protection. == History == The development of guards began in the late 1970s with the creation of several "Secure Communications Processors" and "Guard" applications. The secure communications processors were high assurance operating systems and security kernels developed to support controlled plain-text bypasses for packet network encryption devices. The guard applications were designed to sanitise data being exported from a classified system to remove any sensitive information from it. The Honeywell Secure Communications Processor (SCOMP)〔Steven Padilla and Terry Benzel, (''Final Evaluation Report of SCOMP'' ), CSC-EPL-85/001, 1985〕 was an early guard platform. This was evaluated against the DoD Computer Security Center ''Orange Book'' evaluation criteria at level A1. The RSRE Secure User Environment (SUE) ran on a PDP-11/34. It was very simple separation kernel designed and constructed by T4 Division of the Royal Signals and Radar Establishment (RSRE) at Malvern, England.〔D H Barnes, ''Secure Communications Processor Research'', Procs. 7th DoDNBS Computer Security Initiative Conference 1984〕 The Advanced Command and Control Architectural Testbed (ACCAT) guard was developed to export email from a classified system through a human review stage.〔Woodward, J.P.L, (''Applications for multilevel secure operating systems'', Proc. AFIPS 1979 Nat. Comput. Conf., June, 1979 )〕 Later developments of guards addressed the problem of automatic "downgrading" of information exported from a classified system. The Secure Network Server (SNS) Mail Guard (SMG) enforced source/destination address whitelists, security label checks, attachment type filtering and digital signatures to ensure sensitive information is not released〔R.E.Smith (''Constructing a High Assurance Mail Guard'' ) 1984〕 Firewalls were a later development, arriving around 1987.〔Ingham, K and Forrest S (''A History and Survey of Network Firewalls'' )〕 Over time the functionality of firewalls have increased to provide similar capabilities to guards. The main difference remaining is that guards are built in such a way to provide assurance that they are effective at protecting the network and themselves. The SWIPSY firewall toolkit was developed by the Defence Evaluation and Research Agency to act as a general Guard platform. SWIPSY was layered on top of Trusted Solaris 8. 抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)』 ■ウィキペディアで「Guard (information security)」の詳細全文を読む スポンサード リンク
|