-- -- Phil Rand <prand_at_spu.edu>, aka <postmaster_at_spu.edu> -- http://www.spu.edu/users/prand (206) 281-2428 -- Computer and Information Systems -- Seattle Pacific University -- 3307 3rd Ave. W., Seattle, WA 98119 -------------------------------------------------------------------------- >From jrozes_at_emerald.tufts.edu Sat May 24 10:07:06 1997 Date: Sat, 10 May 1997 13:06:35 -0400 (EDT) From: Jonathan Rozes <jrozes_at_emerald.tufts.edu> To: Thomas Leitner <tom_at_finwds01.tu-graz.ac.at> Subject: Re: DU 4.0b and C2 security ... On Sat, 10 May 1997, Thomas Leitner wrote: > So what about DU 4.0b in this context. I thought when installing enhanced > security I get a C2 certified, networked system. According to the > above statement, this does not seem to be the case and a C2 networked > system is apparently a contradiction in itself. This is true. The Orange Book standard is for standalone systems only. There is a separate security standard for networked systems, but I'll be damned if I can remember what it's called (the Green Book perhaps?). As far as I know, no major Unix vendor offers any kind of network security certification. If they did, connecting the system to any public network would surely violate the standard. The C2 designation is more of a selling point than anything else. There is C2-certified and then there is C2-compliant, which just means that the vendor followed the written standard, but never had the government certify that they actually did things correctly. When an OS is certified, the certification applies only to the exact system that was tested by the government. If that system is patched or modified in the slightest way, the whole certification process has to be done all over. jonathan +++ Jonathan Rozes, Unix Systems Administrator, Tufts University ++ jrozes_at_tcs.tufts.edu, http://rozes.tcs.tufts.edu/ + Remember, there's a difference between kneeling down and bending over --FZ --------------------------------------------------------------------------- MY ORIGINAL POSTING: >From tom_at_finwds01.tu-graz.ac.at Sat May 24 10:07:36 1997 Date: Sat, 10 May 1997 10:25:53 +0200 (MET DST) From: Thomas Leitner <tom_at_finwds01.tu-graz.ac.at> To: DEC Unix Managers <alpha-osf-managers_at_ornl.gov> Subject: DU 4.0b and C2 security ... Hi, I'm subscribed to the Windows NT security mailing list as well and I've read an interesting paragraph about C2 security there: > From: David LeBlanc <dleblanc_at_iss.net> > Cc: ntsecurity_at_iss.net > Subject: Re: [NTSEC] C2 compliance > > At 13:49 5/7/97 -0400, you wrote: > > Somebody told me that the C2 compliance NT claims is only for a NT > > machine without network and without a floppy disk. Is this true? A > > network card or floppy disk destroys C2 compliance? > > I really hope this is in the FAQ. Here's the whole story: > > 1) NT is only really C2 on 2 pieces of hardware, and that's only NT 3.5, SP3. > 2) It is true you can't have a network, but there isn't an eval program for > network C2 (AFAIK). It is not true you can't have a floppy or CD - you just > have to control access to it, and can't boot from them. > > C2 on a network would mean stuff like running the network through gas-filled > pipes, using fiber-optic everywhere, and NO connection to the outside world. > > So what's C2 really mean? Not much and a lot - all at once. I find it > impressive that NT is only one of 2 OS's (OS/400 is the other) that can get > C2 from a normal version. [...] So what about DU 4.0b in this context. I thought when installing enhanced security I get a C2 certified, networked system. According to the above statement, this does not seem to be the case and a C2 networked system is apparently a contradiction in itself. Can anybody shed some light on this and tell me in what environment Digital Unix with enhanced security has been certified for C2? Thanks -- Tom -------------------------------------------------------------------------- T o m L e i t n e r Dept. of Communications Graz University of Technology, e-mail : tom_at_finwds01.tu-graz.ac.at Inffeldgasse 12 Phone : +43-316-873-7455 A-8010 Graz / Austria / Europe Fax : +43-316-463-697 Home page : http://wiis.tu-graz.ac.at/people/tom.html PGP public key on : ftp://wiis.tu-graz.ac.at/pgp-keys/tom.asc or send mail with subject "get Thomas Leitner" to pgp-public-keys_at_keys.pgp.net --------------------------------------------------------------------------Received on Sat May 24 1997 - 10:21:30 NZST
This archive was generated by hypermail 2.4.0 : Wed Nov 08 2023 - 11:53:36 NZDT