-- [ From: Mattias Lindström * EMC.Ver #2.5.02 ] --
Bill Stout wrote:
>Subject: Is any O.S. w/IP enabled C2 certified?
>
>As a firewall platform or not, is _any_ O.S. C2 certified when networking
(specifically TCP/IP) is turned on?
>
>I keep mentioning this C2=a-non-networked-NT-box issue when talking about
NT firewalls (as a response to NT fan(atics) >claiming C2 certification).
However I am in search of 'truth', and this one issue is beginning to sound
like a non-rational >objection.
>
>Bill Stout
C2 certification specification tells that "networking must be disabled".
Don´t know if that means that you could have network components installed
and disabled or if you can´t have any networking installed what so ever, I
would think the latter but I am not sure.
Hmm. Does the above matter (installed and disabled or not installed) ?
I mean, if you don´t have any networking capabilities, you can´t access the
box. Then you need console access to the box and then your password policy
has more impact than anything else.
Anyway.
To all Windows NT, UNIX and other NOS fan(atic)s, including myself :-),
If you put a box on a network, internet or intranet or just a plain net, you
will not be able to meet the C2 certification standards.
And, your installation will never be C2 certified if you don´t pay the
certification fee and the certification authority agrees to test the
installation.
Windows NT:
Windows NT is an OS that is designed to be C2 certified, and it has been
certified, but only in certain configurations. Don´t remember the specifics
but I think that it was a Compaq something with NT 3.51 and SP3, also some
Alpha AXP systems where also certified.
You can certify your own installation but you probably wan´t to stay out of
it. It is expensive!, both in cash and time.
Unix:
Don´t know for sure (read: think I know but isn´t sure enough to yell about
it here:-)) but there must be vendors that have C2 and B2 certified
installations.
Novell:
I think Novell started a B2 certification whay back, at least a year ago <G>
, but I haven´t heard anything since.
How is it with B2 certification, do you really certify a complete network,
or was the coffie level in my veins to low when I read the specs?
Well, guess that it´s like C2, more commercial and marketing gimmick to be
certified than for real world usage.
I know, some environments really need the certification but the Joe Schmoo
installation doesn´t have thoose requirements.
TTYL,
--
Mattias Lindstrom
NT and Security Consultant
This email is for the use of authorized users only. Individuals using this
email without authority, or in excess of their authority, are subject to
having all of their activities monitored and recorded by systempersonnel.
Follow-Ups:
|
|
