At 10:12 AM 10/1/96 +0200, G6 CPT Bates wrote:
...
>However, we have run into speed bumps with individuals processing
classified information on unclassified
>...
>We do not have the budget nor training to install expensive
firewalls at the Division level. We think less, but more
robust machines running NT workstation on both the class
and unclass LAN/WAN's, would offer what we require in terms
of processing power and NT's excellent auditing/security.
However, it is very expensive, both in terms of equipment,
and personnel, to maintain these two NT LAN's. While I have
yet to see someone hack an NTFS partition with permissions
and other holes plugged up (watched a couple of DISA's best
guys try), the security goons still have conniption fits
about placing classified data on an unclassified NTFS
partition. Any word on when NT will be network certified??
>...
Ha ha ha ha ho ho he.
As an ex-crypto (MOS 31S) and 'other duties as assigned' Army
vet, good luck! I sure hope you're not really putting classified
data on NT systems in unclassified nets! If you know of
someone who has, get the S2 to have a nice long talk with them.
I pay nose-bleed taxes to support god-knows-what covert and
non-covert politicial and military actions which I may or may
not agree with, and had put my own neck on the line in the insane
live-fire environment of the Korean DMZ and other environments
to 'protect our freedoms' (which keep diminishing thanks to our
own Governments' occasional Socialist/Tyrannistic binges), and
I'd hate to see my hard-earned tax dollars be blown so easily.
NT is breakable. UNIX is breakable. Unless you know exactly
what you are doing, I guaran'f-ing'tee you, you will leave
security holes open. DISA's 'best' are not 'the best' hackers
in the world by far. The best are out there in the private
industry making the big bucks, talking to developers, comparing
notes, and, hacking.
NT will have Kerberos 5 authentication which is probably what
you are thinking of. But even thought an O.S. may have strong
internal security mechanisms, that security mechanism never
leaves the local machine. Once a external connection is made
into a machine, some service aliases what it authenticated, to
some valid internal user. Your internal O.S. has process-to-process
communciations that can be snooped, your client-to-server process
can be spoofed, external sessions can be hijacked, and your external
data can be sniffed.
There is a biblical prophesy which talks about a statue of
the great world empires made of gold, silver, copper, legs
of iron etc. This great powerful statue collapsed because a
stone was thrown at it's feet which were made of clay mixed
with iron. Silcon and wires? Food for thought.
Bill Stout
_______________________________________________________________________________
Senior Systems Admin NT/Solaris/WWW/Firewalls/Routers/Mainframe_UNIX
Hitachi Data Systems 408-970-4822 --- Disclaimer: I speak only for myself
HDS Marketing ---> http://www.hdshq.com/
Freedom ---> http://www.libertarian.com/
Threats ---> http://www.ccnet.com/~suntzu75/resister.htm
|
|
