On Aug 1, 11:43am, Darwin Martinez wrote:
>> Recall, however, that even though NT/HPUX/etc. may be C@ certified, it is
>> certified at the box level only, not the network level.
"Alex Noordergraaf" <noorder @
shire .
btg .
com> replied:
>Correct, but that is because the Orange book definition of C-2 doesn't
>have any network requirements. (someone please correct me if I am
>wrong) I didn't think that network requirements came into play until
>the B levels, notably B-1.
The "B" and "C" have nothing to do with networking.
The original TCSEC applied to "systems" as in the old timesharing or
batch world. You could do a TCSEC evaluation on a device with network
interfaces, but most vendors don't. I think Sun did a CMW evaluation
that way a few years back. There's also the "Trusted Network
Interpretation" that's supposed to better apply to networked devices.
The "B" level indicates that the system contains mandatory access
control that enforces a multilevel security policy on data in the
system. This is intended to protect against sophisticated "outsider"
attacks.
The "C" level indicates that the the system can keep relatively honest
"insiders" from improperly accessing each others' files. So don't get
overly impressed by a "C2" evaluation. It indicates that some third
party reviewed the device relative to some specific criteria, not that
it's strong enough to protect your data.
Rick.
smith @
sctc .
com secure computing corporation
|
|
