>Leonard Miyata <leonard @
>On Tue, 28 Nov 1995, Marcus J. Ranum wrote:
>> They've added an implementation of DTE based on work they
>> have done on A1 systems**** into a "hardened" version of BSDI.
>I've been curious about this for a while. The Byte magazine article on
>Sidewinder mentioned A-1 technology, but Sidewinder, or its modified
>version of BSDI kernal it sits on is not "A-1".
>Besides Boing's secure network, Gemini Computer's GEMSOS kernal, and of
>course the original Honeywell Multics, what other "A-1" systems are out
>there to gain experiance on?
A-1 has many items which are of no value for a firewall. If you remove any
one of the items, it is no longer certifiable at A-1. Additionally, in order
to be recognized as A-1, you need to get it tested and approved. So, it is
not surprising that the modified version is not A-1.
While I don't know for certain, I'd assume that they would remove features
dealing with multiple security levels (preventing reading from more secure
data and writing to lower classified files), covert channels (which involves
passing information outside of the data section of a file and, since there
isn't something reading the covert channel in a firewall, wouldn't be
necessary), and other items. I'm assuming they would keep the auditing
features, data classification and grouping, some of the moving of security
functions into single modules, and alarms and such. And they probably
enhanced the network to check for spoofing and such.
Manager, Technical Support
Damark International, Inc
My opinions do not necessarily reflect those of Damark.