The TCSEC 'Orange Book' was designed for a security evaluation of a
single isolated host (read MainFrame) with real physical connections
from the user terminials.
The TNI 'Red Book' extends the 'Orange Book' security definitions
to the context of a single isolated unit. By unit, they include
all the components of the network (workstations, routers, Servers
etc) Unlike a physical serial connection to a dumb terminial,
network connections may not be direct physical connections, but
indirect connections via a router, or routing host. Without a
method to ensure a trusted connection (encyption with data labeling)
the possiblity exists of data being tampered with between the sender
and receiver, as the network itself is considered outside of
physical security control and is insecure.
The moment you add a network card to a host, your outside the
definitions of the 'Orange Book' and must now consider the
'Red Book' security of the entire network and all of its components.
To receive a Red Book rating, all of the 'Orange Book' definitions
(DAC, MAC, I&A, Audit) must be extended to cover the entire network.
Individual components may have a 'Orange Book' rating less then the
rating of the Network, as long as some other network component is
responsible for enforcing the policy.
Currently, Windows NT has been evaluated at 'Orange Book' C2.
The NT Server Kit does state that NT was designed for 'Red Book' C2,
and by looking at NT network features you can see the attempt
(Domain Servers for DAC, PPTP for trusted path and I&A, No MAC at C2),
the problems have been with the implementation, and the marketing
demands to add new features without considering the security
implications (such as ActiveX)
It is possible to design networks for 'Red Book' evaluations as
Boing has demonstrated a (GASP!) A1 network for several years now.
A workable 'Red Book' evaluated network will only come about only
if there is enough market demand for it, as well as avoiding the
temptation of demanding 'Bleeding edge' new features
Personal Opinions provided by
Leonard Miyata
aka leonard @
geminisecure .
com
Gemini Computers Inc.
On Thu, 24 Jul 1997, Paul McNabb wrote:
>
> The fact that NT can't have a network card is more damning. Is it
> that there can't be a card in the machine or just that networking
> can't be enabled? There was a Unix box that got a B1 rating but it
> could not have networking enabled, and only processes from a single
> user could run at a time (multitasking but not multiuser). This
> applied to cron jobs as well -- they couldn't run if another user's
> process existed. It all goes to show you that just because something
> is evaluated, it doesn't mean it is necessarily useful. If you are
> willing to cut enough functionality out of a program or OS, you can
> get almost anything evaluated to almost any level.
>
> paul
>
> ---------------------------------------------------------
> Paul McNabb Argus Systems Group, Inc.
> Vice President and CTO 1809 Woodfield Drive
> mcnabb @
argus-systems .
com Savoy, IL 61874 USA
> TEL 217-355-6308
> FAX 217-355-1433 "Securing the Future"
> ---------------------------------------------------------
>
References:
|
|
