On Mon, 30 Sep 1996, Keith McCammon wrote:
> C2 security seems basically worthless. You can't have any network, and if
> a perpetrator has physical access to the machine, he/she can just boot
> off a floppy to read your files.
> So, if you can't use it with a network as a file server, and if it's
> easily compromised with physical access to the machine, what is a
> practical example of where C2 is actually useful?
It depends on what exactly is C2 certified. Something that a lot of
people do, myself included, is say that a certain OS or NOS is 'XY
certified.' What we should really say is 'XY certifiable.'
Basically meaning that you can make a system meet the standards of a
certain TCSEC (Trusted Computer Systems Evaluation Criteria) if you do
'such and such' things to it. Some systems come out of the box
pretty much certifiable and others (like WinNT) don't. Maintaining
a 'XY' certification also can often involve such things as maintaining a
trusted facility environment (B through A classes) and other aspects of
the computing environment.
The main problem with WinNT is that it isn't C2 certifiable as a NOS,
only an OS. NOS's like Novell Netware have to be evaulated with a
somewhat different set of criteria established by the Red book (Trusted
Network Interpretation) as opposed to the Orange book (DoD Trusted
Computer System Evaluation Criteria) for simple OSes.
So, having a C2 certified isn't a bad thing since it means that your
system has better than average security. But it does tend to look bad
when a system designed to function within a network can't meet the
security guidelines for that type of certification.
At least, this is how I've interpreted the various DOD/NCSC manuals
after reading through them and getting input from other sources. Please
correct me if I'm wrong.
[ Bruce M. - Feist Systems, Inc. ]
'DISA information shows that computer attacks on the
Department of Defense are successful 65 percent of the time.
The DoD, despite its problems, probably has one of the strongest
computer security programs in government.' -GAO/T-AIMD-96-108