Firewalls: RE: NT Security

Firewalls
(September 1996)

Indexed By Thread: [Previous] [Next]

Subject:	RE: NT Security
From:	"Bruce M." <bkmarsh @ feist . com>
Date:	Mon, 30 Sep 1996 22:16:09 -0500 (CDT)
To:	firewalls @ greatcircle . com
In-reply-to:	<32502F23 @ mailgate . asymetrix . com>

On Mon, 30 Sep 1996, Keith McCammon wrote:

> C2 security seems basically worthless. You can't have any network, and if   
> a perpetrator has physical access to the machine, he/she can just boot   
> off a floppy to read your files.
> 
> So, if you can't use it with a network as a file server, and if it's   
> easily compromised with physical access to the machine, what is a   
> practical example of where C2 is actually useful?

    It depends on what exactly is C2 certified.  Something that a lot of 
people do, myself included, is say that a certain OS or NOS is 'XY 
certified.'  What we should really say is 'XY certifiable.'  
Basically meaning that you can make a system meet the standards of a 
certain TCSEC (Trusted Computer Systems Evaluation Criteria) if you do 
'such and such' things to it.  Some systems come out of the box 
pretty much certifiable and others (like WinNT) don't.  Maintaining 
a 'XY' certification also can often involve such things as maintaining a 
trusted facility environment (B through A classes) and other aspects of 
the computing environment.

    The main problem with WinNT is that it isn't C2 certifiable as a NOS, 
only an OS.  NOS's like Novell Netware have to be evaulated with a 
somewhat different set of criteria established by the Red book (Trusted 
Network Interpretation) as opposed to the Orange book (DoD Trusted 
Computer System Evaluation Criteria) for simple OSes.  

    So, having a C2 certified isn't a bad thing since it means that your 
system has better than average security.  But it does tend to look bad 
when a system designed to function within a network can't meet the 
security guidelines for that type of certification.

    At least, this is how I've interpreted the various DOD/NCSC manuals 
after reading through them and getting input from other sources.  Please 
correct me if I'm wrong.

                       ________________________________
                      [ Bruce M. - Feist Systems, Inc. ]
                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
             'DISA information shows that computer attacks on the 
          Department of Defense are successful 65 percent of the time.
        The DoD, despite its problems, probably has one of the strongest
         computer security programs in government.' -GAO/T-AIMD-96-108

Follow-Ups:

Re: NT Security
From: Bob Beck <beck @ obtuse . com>

References:

RE: NT Security
From: Keith McCammon <keithm @ asymetrix . com>

Indexed By Date	Previous:	Raptor Eagle Firewall From: jting @ sti . com . tw (Joel Ting)
Indexed By Date	Next:	Re: Subnetting Class C Network From: Paul Ferguson <pferguso @ cisco . com>
Indexed By Thread	Previous:	RE: NT Security From: Keith McCammon <keithm @ asymetrix . com>
Indexed By Thread	Next:	Re: NT Security From: Bob Beck <beck @ obtuse . com>