>From: Christopher Klaus <cklaus @
>Date: Wed, 4 Sep 1996 11:17:22 -0400 (EDT)
>There is a lot of hype among security products touting the fact that they
>are C2 certified so that they are more secure than non-C2 security
>I was wondering how many people really perceive that C2 brings them a more
>C2 - Controlled Access Protection. C2 provides protection for log-in
>procedures, allows auditing of security-relevant events, and offers
>Operating systems such as MS-DOS, the MacOS, Windows, and OS/2 are
>considered to have level D protection because they provide no security. To
>be precise, these systems are not truly D-rated because they were never
>submitted for evaluation.
You are correct: C2 is a minimal security level. C2, if properly used, will
go a long way to achieving reasonable security for internal business
systems. C2, by itself, doesn't mean anything for firewalls nor provide
security against hackers.
The reason why I look for a C2 rating is that it does mean that basic
security is present in the operating system; otherwise, I need to go dig
through the manuals to see if the basics are around. In many cases,
something approaching C2 can be achieved if the proper settings are used. C2
only provides the basic tools on which to build a basic level of security.
For many users, C2 is when they begin to see security (you mean I really
have to have a password and change it?). Once users (and more importantly,
application coders) adjust to this minimal level of security, adding more
security is generally not a major paradigm shift.
My experience is that many of the proprietary computer systems which were
(are?) used in business environments either were C2 or had established
add-ons which made them C2 or better. In many cases, you couldn't turn off
the security systems although you could make them impotent by how you used
or ignored them. The importance of C2 is that there are security hooks built
into the system.
Its also interesting to me that many of the database engines, which
frequently have their own network port, totally bypass their host's security
system. Last I checked (several years ago but the informal discussions I've
had don't make me think much has changed), they wouldn't pass a C2 security
check (remember: C2 = a minimal security model).
Does my firewall need C2. I don't really care. It needs a totally different
security model since its protection goals are totally different. Do my
internal servers need a C2 level of security? Yes. Not because "C2" is the
goal but because they need at least that basic minimal level of security.
Manager, Technical Support/Systems Administration
Damark International, Inc
These opinions are mine and may or may not reflect those of Damark.