Operative question: if this application was deployed on the network of a widget manufacturer, would it handle, store, or manipulate information about widgets?
Handles no data specific to the business environment it's deployed in (e.g. NTP).
Handles information incidental to the business environment (e.g. ticketing/scheduling, like Remedy).
Handles data that can be used to reconstruct portions of critical business data (e.g. SMTP mail).
Stores and manipulates semi-authoritative versions of critical business information (e.g. Veritas).
Stores and manipulates authoritative versions of critical business information (e.g. iSCSI).
Rationale: speaks to the direct asset value of the application.
Operative question: is this application used to deliver, schedule, or control other applications?
Publish-only (e.g. publicfile).
Executes signficant functionality on behalf of clients (e.g. Apache).
Hosts objects or RPC-style procedures for clients (e.g. CORBA).
Executes arbitrary code on behalf of clients (e.g. Remote Desktop).
Direct remote-control capability for multiple agents (e.g. Marimba).
Rationale: all applications are vulnerable to attacks that hand over control of the local operating system (a publicfile stack overflow is just as bad as Marimba overflow). The question here is, "is this application a deliberate gatekeeper for the integrity of its host operating system or other machines on the network".
Operative question: will other computer systems rely on this application for access to the network?
No network connectivity (e.g. tar).
Exposed to network (e.g. IMAP).
Influences connectivity decisions for other systems (e.g. DNS).
Provides connectivity services for other systems (e.g. Squid Proxy).
Controls traffic forwarding (e.g. Catalyst 6000).
Rationale: to what degree is this application a stepping stone, and to what extent does that step amplify the network's exposure to attack? In the most sensitive cases, access implies the ability to hijack other users.
Operative question: how does the application decide who gets to use it?
Privileged user on local system (e.g. shadow password file).
Authenticated and authorized network client (e.g. CIFS).
Authenticated network client (e.g. NFSv1).
Provides pre-authentication services to arbitrary network clients (e.g. intranet web server).
Unrestricted access to arbtrary network clients (e.g. rexd).
Rationale: There's no real NFPA "white" diamond. The question of "how easy is this application to exploit" is too complicated to answer with a number. So is the question, "what measures does this application take to control access". "Exposure" is an attempt to animate the other 3 diamonds by summing up a security model in terms of authentication ("who are you?") and authorization ("what are you allowed to do?").
Name
Blue
Red
Yellow
White
NFS Server
4
2
1
2
CIFS Server
4
2
2
1
iSCSI
4
1
1
3
iFCP
4
1
3
4
NTP Server
0
1
1
4
Trac
1
1
1
3
SMTP Mail
2
1
1
4
Veritas
4
1
1
2
SNMP Agent
1
2
2
2
publicfile
4
0
1
4
Apache
4
1
1
4
Orbix ORB
0
2
2
3
Remote Desktop
0
3
1
1
Marimba
1
4
1
2
tar
4
1
0
0
IMAP Server
2
1
1
1
DNS Cache
1
1
2
4
Squid Proxy
1
1
3
3
Catalyst Switch
1
1
4
4