On Fri, 6 Sep 1996, Paul McNabb wrote:
> > Date: Thu, 5 Sep 1996 20:19:41 -0400 (EDT)
> > From: Rabid Wombat <wombat @
> > On Thu, 5 Sep 1996, Jon Spencer wrote:
> > > > Of course C2 security is better than no security, but C2 was never
> > >
> > > Welll ....... it is if you understand its limitations. Otherwise ...
> > >
> > WTH does C2 security have to do with a system that should not have any
> > user accounts on it, no user access to it?
> Well, let's see.
> 1) You could have the activity of the daemons and other processes
> audited in case of a problem. This could be very useful when trying
> to track a problem or security hole.
Maybe. The biggest point for a "secure" OS vs. a "hardened" OS is that I
might want to be able to audit the actions of the person who has control
of the firewall system. This isn't a C2 thing, though, as I recall, but
comes up in the "B" rating. I could be wrong here, as I don't dig into
the rainbow books so much anymore.
> 2) The object reuse requirements would make it less likely that a
> daemon or other process could be tricked into sending info from a
> previous network request.
Are you refering to proxies being tricked, or applying this argument to
ispection as well?
> 3) The TCB protections will make it less likely that bugs and holes
> in programs can circumvent or damage the system operation.
> 4) Daemons could be run in a mode that doesn't have access to any
> file or other resource on the system (e.g., on UNIX, run a daemon
> as user "noroot").
This does not require C2 certification, though.
> 5) The overall functioning of the system would be analyzed and you
> could feel better about its reliability and security (although at
> C2 this is somewhat weak).
Yes, it is weak at C2. Also, most of the "C2" systems out there are
"designed to C2 specifications" or some other marketing snake oil. This
does not make me feel better about anything. I'd rather take the word of
others in the field regarding OS hardening, than take the word of
anyone's marketing department regarding "C2."
> C2 (and all other trusted systems) provides security enhancements
> in ways that are useful even when no user is on the system. Add to
> that the assurances that come from well-design and well-reviewed code,
> and trusted systems make a lot of sense in a lot of instances. There
> is a lot of smoke in the air about trusted products, and a lot of
> misconceptions and misleading statements by both sides (those who
> claim supernatural protection by trusted systems and those who claim
> it's all a crock).
M$ used to ship NT with "everyone" having rights to the system directory.
This may still be the case, for all I know; I haven't had
occaision/misfortune to work with NT lately. I don't care who certifies
what - if the system ships with any sort of potential "hole" as a
default, and it is up to the administrator to harden the OS, guess where
your security and peace of mind will have to come from? Not your OS rating.
> But you are correct in part. As stated in various places in the Rainbow
> Series, there are places where a trusted system will add no appreciable
> benefit to an operation. You could build a firewall machine in such a
> way to eliminate the need for a trusted operating system, but I think
> you would probably want to take your hardware and configuration through
> an evaluation and get a rating -- something easy like C2, or, for real
> assurance, B2 or B3.
The whole orange book system was designed to protect the users from each
other, the system from the users, and, to some extent, the system from
intruders, as you work your way up the rating scale. Go high enough, and
you have somewhat of an arguement that you're protecting the firewall
system from intruders; but not at C2. Everytime I see anybody talking
about C2 and firewalls, I expect an NT rant on the next line.
The last firewall big "hole" I recall hearing about involved a system
that, for a brief moment following boot, allowed packets through
unchecked while the firewall software was still initializing. A C2 rating
would not have made any difference. IMHO, it only gives a false sense of
security. "Off course it's foolproof - it's rated C2 ...".
just my $.02
> Paul McNabb mcnabb @
> Argus Systems Group, Inc. TEL 217-384-6300
> 1405A East Florida Avenue FAX 217-384-6404
> Urbana, IL 61801 USA