First of all, I just recently joined the list and have really enjoyed the
threads of conversation. Its been educational to say the least. Please
keep up the good conversation and hopefully avoid the personal stuff.
I have a general question related to Orange Book certification of systems.
In one of my past lifes I worked in and around this stuff (but am not an
expert what so ever) and I remembered that a MLS OS certified by the NCSC
could not/would not be ceritifed to support any networking access. At the
time there was work on the networking security book (green, brown? forgot).
Anyway, if it truly was the case (I may have not intrepeted the facts
correctly at the time) that NCSC believed that a network connection would
basically make a MLS OS insecure, why should we assume that a firewall
running on top of a MLS is going to be much better off? Maybe I am behind
the times and they have since updated Orange Book to include networking or
the Green/Brown book now covers the issues. I follow the logic that more
must be better (more security features, mandatory access control, etc), but
all it takes is one hole and all the "more must be better" doesn't amount to
I also have to agree with the one person who fundamentally stated that to
get a certified OS in the A or B range would be almost useless when done
since the hardware and software is out of date with the current technology.
However, for the government, they tend to stick with older equipment anyway
due to budget constraints and becomes a lesser problem and for some sites,
security is far more important than having the latest and greatest. The
NCSC/Orange Book does not translate well into the commercial arena and I
don't believe they ever intended it to be useful or should keep pace with
commercial arenas. I have found many companies ask for C-2 or B-2 like
features, but did not require certification. I suspose the only thing they
lose is that full assurance that an independent authority has done their
best to ensure that an OS is truly secure. At some point a company has to
cut off their paranoia for the sake of performance and money. For example,
a firewall running on a certified secure os might be considered more secure.
But if you are paranoid enough, you would want to know who certifies those
who certifies the OS (the NCSC). Are they experts? Are their methods
complete? Just because someone calls themselves experts doesn't make them
experts. Where do you stop, or do you? (of course this is a bit silly, but
it illustrates the point). Ultimately the solution is to have no connection
to the internet, but then you still have the more serious internal threats
to deal with.
What's the old joke? Just because you think someone is following you
doesn't meant they aren't?
TITAN SPECTRUM Technologies
Director of Marketing
(214) 423-6212 / (214) 423-6579 (Fax)