Page 1304 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1304

controlling access in and out of a network. They are configured with an
               implicit deny philosophy and only allow traffic that is explicitly

               allowed based on a rule. Firewalls are typically designed to be fail
               secure, supporting the implicit deny philosophy. If a firewall fails, all
               traffic is blocked. Although this eliminates availability of
               communication through the firewall, it is secure. In contrast, if
               availability of traffic is more important than security, the firewall can
               be configured to fail into a fail-open state, allowing all traffic through.
               This wouldn’t be secure, but the network would not lose availability of

               traffic.



                             In the context of physical security with electrical hardware


                  locks, the terms fail-safe and fail-secure are used. Specifically, a
                  fail-safe electrical lock will be unlocked when power is removed,
                  but a fail-secure electrical lock will be locked when power is
                  removed. For example, emergency exit doors will be configured to
                  be fail safe so that personnel are not locked inside during a fire or
                  other emergency. In this case, safety is a primary concern if a

                  failure occurs. In contrast, a bank vault will likely be configured to
                  be fail secure so that it remains locked if power is removed because
                  security is the primary concern with a bank vault door.



               Two elements of the recovery process are addressed to implement a
               trusted solution. The first element is failure preparation. This includes
               system resilience and fault-tolerant methods in addition to a reliable
               backup solution. The second element is the process of system recovery.
               The system should be forced to reboot into a single-user,

               nonprivileged state. This means that the system should reboot so that
               a normal user account can be used to log in and that the system does
               not grant unauthorized access to users. System recovery also includes
               the restoration of all affected files and services actively in use on the
               system at the time of the failure or crash. Any missing or damaged files
               are restored, any changes to classification labels are corrected, and

               settings on all security critical files are then verified.

               The Common Criteria (introduced in Chapter 8, “Principles of Security
   1299   1300   1301   1302   1303   1304   1305   1306   1307   1308   1309