That Right, If you want the Networking C2 requirments you
have to look at the "Red Book" (TNI) which supplements the
"Orange Book" for Network functionality. (The TNI also defines
A1, B3, B2, B1 networking requirments as well)
P.S. While checking the Orange Book, check the qualifications
necessary to do a C2 evauluation. I bet that the majority of
readers of this forem would qualify. And if you personally
can't find a security bug in O.S. in two-three weeks, does
this mean the O.S. is secure???
Personal Opinions provided by
Gemini Computers Inc.
On Wed, 2 Oct 1996, Davidson, Clyde wrote:
> <Replying to several messages>
> Don't forget that the "Orange Book" that defines C2 is not for any
> networked system. It defines government security requirements for
> stand-alone systems. That means that any UNIX system that is networked
> would loose whatever C2 certification that it might have, just like NT.
> Also remember that C2 is Discretionary Access Control. That means that
> "The discretionary access control mechanism shall, either by explicit
> user action or by default, provide that objects are protected from
> unauthorized access. These access controls shall be capable of including
> or excluding access to the granularity of a single user." The Orange
> Book. It looks to me that NT and any C2 UNIX both do this just fine. Of
> course, being discretionary means that NT and UNIX can be configured
> without any security at all. That is the requirement. If you want
> Mandatory Access Control you will have to make your system B1, B2, B3, or
> A1 level of security. However, you still can't network it.
> Then again, none of this discusses whether these are even worthwhile for
> commercial businesses.
> Clyde Davidson