Firewalls: Re: C2 Myths

Firewalls
(September 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: C2 Myths
From:	Leonard Miyata <leonard @ geminisecure . com>
Date:	Fri, 6 Sep 1996 09:56:02 -0700 (PDT)
To:	Bernd Eckenfels <lists @ lina . inka . de>
Cc:	firewalls @ GreatCircle . COM
In-reply-to:	<m0uyrzY-0004jQC @ lina>

Hi

Instead of the term "NSA" and "People with programming experience",
replace with the sentence "Engineers who are experienced in exploiting 
bad programming (e.g. the Unix gets() call) to create Security Holes, and 
have access to the COMPLETE O.S source code with months of time to study it"

This is what is actually done during a TCSEC evalution process

Personal opinions provided by
Leonard Miyata
aka leonard @
 geminisecure .
 com
GEMINI COMPUTERS INC.
http://www.geminisecure.com

On Fri, 6 Sep 1996, Bernd Eckenfels wrote:

> Hi,
> 
> > A1 - Verified Design. The highest level demands formal security verification
> > methods to ensure that security controls protect classified and other
> > sensitive information. Even the National Security Agency cannot break in.
> > 
> > B3 - Security Domains. This level is intended to protect systems from people
> > with programming experience.
> > 
> > B2 - Structured Protection. Hackers should not be able to break into a
> > system with B2-level security.
> > 
> > B1 - Labeled Protection. At this level, a really good hacker could possible
> > break in, but users can't.
> > 
> > C2 - Controlled Access Protection. C2 provides protection for log-in
> > procedures, allows auditing of security-relevant events, and offers resource
> > isolation.
> > 
> > C1 - Discretionary Protection. This level enables users to set access
> > controls to protect private or project information.
> > 
> > D - Minimal Protection. The lowest level is reserved for systems that have
> > been evaluated but have failed to meet the requirements for a higher
> > evaluation class.
> 
> sorry, this is not very usefull... "Users" "Hackers" "peaple with programming
> experience" "NSA" is not a usefull (nor realistic) atributation(sp?) for
> secrity classes.
> 
> Greetings
> Bernd
> -- 
>   (OO)      -- Bernd_Eckenfels @
 Wittumstrasse13 .
 76646Bruchsal .
 de --
>  ( .. )   ecki @
 {lina .
 inka .
 de,linux.de}  http://home.pages.de/~eckes/
>   o--o     *plush*  2048/A2C51749  eckes @
 irc  +4972573817  *plush*
> (O____O)       If privacy is outlawed only Outlaws have privacy
>

References:

Re: C2 Myths
From: lists @ lina . inka . de (Bernd Eckenfels)

Indexed By Date	Previous:	Re: Building a monitoring system From: Todd Graham Lewis <tlewis @ mindspring . com>
Indexed By Date	Next:	Re: mail & win95 From: potlicker @ morebbs . com
Indexed By Thread	Previous:	Re: C2 Myths From: lists @ lina . inka . de (Bernd Eckenfels)
Indexed By Thread	Next:	Re: C2 Myths From: pelicans @ mindspring . com (BeachCruiser)