I think you are missing the point of C2. It is not meant
that if a box is rated C2 that it is invulnerable.
Rather, it is a philosophy of how you are going to administer
the system. The main points of C2 is that there are not
any group logins allowed and that all transactions are logged.
No group logins means you do not share your password. The
system can't enforce that. It's a people thing. Will your
users abide by it? The fact that all transactions are logged
allows an administrator to find out who did what to the system
(again, assuming the users aren't sharing their passwords).
C2 is simply an accountability measure. It does not prevent
anything. I would rather have a system that has been
certified C2 compliant because it gives me better assurance
I can find out what happened on my system (if something does
happen).
My $0.02 worth.
Brad Van Orden
Rapid Systems Solutions, a BSG company
>C2 security seems basically worthless. You can't have any network, and if
>a perpetrator has physical access to the machine, he/she can just boot
>off a floppy to read your files.
>
>So, if you can't use it with a network as a file server, and if it's
>easily compromised with physical access to the machine, what is a
>practical example of where C2 is actually useful?
>
>Keith McCammon
>Asymetrix Corp
>*Opinions my own*
>
>
>On Wed, 25 Sep 1996, Joseph S. D. Yao wrote:
>
>> Much has been made of NT's "C2" certification. I've heard that it was
>> certified without the standard NT file system; and with that file
>> system, it can't be certified. Beware.
>
> It will only comply with C2 standards if you are using the NTFS file
>system (not FAT or HPFS) and, of course, as a stand-alone machine after
>service pack X (7?) is applied with some other holes closed.
|
|
