>However, we have run into speed bumps with individuals processing
>classified information on unclassified PC's
According to what I've been told, those hard disks should be brought
into your classified network right away. Whether NT does or does not
prevent retreival of data fragments from deleted or reused disk space is
supposedly irrelevant to .mil security. If classified data has ever been
on a drive, the drive stays in a machine on the classified network or
becomes a spare for a machine on the classified network. Shortage of
resources does not equal throwing your security policies and practices
out with the bath water.
>and virus problems, mostly those that affect the boot sector. Converting
>from WFW 3.11 and WIN 95 to NT Workstation with no FAT partitions, strictly
>NTFS partitions seem to be the optimal solution.
Removing the floppy drives is the optimal solution. An NTFS boot
partition will prevent the boot sector viruses.
>We do not have the budget nor training to install expensive firewalls at
>the Division level. We think less, but more robust machines running NT
>workstation on both the class and unclass LAN/WAN's, would offer what we
>require in terms of processing power and NT's excellent auditing/security.
Ah, life on the road. If the boss says "get it done", you do it, right?
I may be wrong here, but last I heard NT was not acceptable on the class
net, I would strongly suggest you check that out.
>While I have yet to see someone hack an NTFS partition with permissions and
>other holes plugged up (watched a couple of DISA's best guys try), the
>security goons still have conniption fits about placing classified data on an
>unclassified NTFS partition.
The "goons" are having conniptions more about putting classified data on
an unclassified machine than they are about putting class stuff on NTFS.
If its unclass, the physical security is different bud, so are access
controls, management, auditing, (need I go on?). Putting class data "out
in the wilds" is unnacceptable regardless of what you put on the drive
in terms of an OS. If the machine is deemed a class machine, its a
different animal.
NTFS, or some file encryption mechanism you might get your hands on,
employed on a UNCLASSIFIED machine, will never meet the specs for
classified data storage. 'Cause it ain't just about how the data is
stored on the drive or how the OS let's you get access to it. Security
isn't a thing you stick on a box or load into memory, its a whole range
of things from the lock on the door leading into the area to the size of
the ventillation ducting venting the air out the other end, oh, and by
the way, there's some software and hardware stuff somewhere inbetween.
>Any word on when NT will be network certified??
For CLASSIFIED data? I don't think that MS is going to provide you with
what you need. Even C2 Red Book certification ain't going to satisfy
your goons. Look to Global Internet's TNT product (www.gi.net), or
Nortel's Entrust products.
>We are also starting to use Iomega's Zip drive to store/archive/use large
>amounts of data. Merely attempting to find a solution that meets our needs,
>both from a function, security, and fiscal perspective.
Out of curiosity, what's your plan for securing the Zip drive
cartridges?
Cheers,
Russ
"any sufficiently advanced technology is indistinguishable from
magic"...Arthur C. Clarke
>
|
|
