<Replying to several messages>
Don't forget that the "Orange Book" that defines C2 is not for any
networked system. It defines government security requirements for
stand-alone systems. That means that any UNIX system that is networked
would loose whatever C2 certification that it might have, just like NT.
Also remember that C2 is Discretionary Access Control. That means that
"The discretionary access control mechanism shall, either by explicit
user action or by default, provide that objects are protected from
unauthorized access. These access controls shall be capable of including
or excluding access to the granularity of a single user." The Orange
Book. It looks to me that NT and any C2 UNIX both do this just fine. Of
course, being discretionary means that NT and UNIX can be configured
without any security at all. That is the requirement. If you want
Mandatory Access Control you will have to make your system B1, B2, B3, or
A1 level of security. However, you still can't network it.
Then again, none of this discusses whether these are even worthwhile for
commercial businesses.
Clyde Davidson
----------
Follow-Ups:
|
|
