True enough. The fact is neither is Novell. They are both going
through the lengthy review process. They were both designed to be
compliant, but won't actually be until much later. Unfortunately, as
I'm sure you know, these certifications often take longer than 3 product
cycles. It is part of the marketting machine that tries to simplify the
concepts to the point that the uninformed can understand them and grasp
something that is meaningful. Along the same lines, HPUX 10.20 is not
rated yet either.
This always breaks down to the semantics of
compliant/certified/certifying etc. You can safely bet that no OS that
came out in the last 9 months has made it through all the reviews yet.
The list is at http://www.radium.ncsc.mil/tpep/epl/
The simple fact is that this is not a disadvantage of NT compared to
anything that it competes against. All the products claim to be secure
because to an extent they are and people care to hear that. None are
actually evaluated at this point so this whole argument is pointless.
regards
Andy
=======================================================
Andy Webb awebb @
swinc .
com www.swinc.com
Simpler-Webb, Inc. Austin, TX 512-322-0071
"The clue meter is reading zero..." - Dilbert
=======================================================
> -----Original Message-----
> From: Martin Dion [SMTP:matrix @
citenet .
net]
> Sent: Thursday, March 20, 1997 2:39 PM
> To: Vern Williams
> Cc: firewalls @
GreatCircle .
COM
> Subject: Re: WinNT and C2 - Tired of that shit !!!
>
> Ok... That's it... I'm tired of that discussion... Microsoft Windows
> NT
> IS NOT C2 Compliant . (DOT) It's close, they said it is, maybe, maybe
> not, depends on the condition. NO ! It is not a C2 OS !!! If you
> want
> a secure NT environnement, don't waste your time to configure it, use
> Mergent PC Dacs or wathever security add on you may wish !
>
> Microsoft Windows NT is not recognize as a C2 compliant OS neither by
> the NSA, the NCSA or the DOD department.
>
> Have a nice day,
> Martin Dion. BS CS.
> Network Security Specialist.
>
> ----------------------------------------------------------------------
> --------------
>
> Vern Williams wrote:
> >
> > David Harvey-George wrote:
> > >
> > > > From: Leonard Miyata <leonard @
geminisecure .
com>
> > >
> > > > Let me provide some further information on the subject. If
> Microsofts
> > > > claim of ITSEC equivalent of C2 is correct...
> > >
> > > Their press release seems very carefully worded in way to present
> NT in as
> > > favorable light as possible (no kidding :-). They talk a lot
> about having
> > > completed the first stages of the Red and Blue book requirements
> and then
> > > talk about ITSEC which they claim is derived from the NSA's Red
> book. The
> > > release then talks about Orange Book C2 security being a standard
> part of
> > > NT.
> > >
> > > However it seems that the following is clear:
> > >
> > > 1 NT is C2 Orange book compliant if configured correctly
> > >
> > > 2 NT is not C2 Red book compliant but has passed another network
> security
> > > standard, the ITSEC FC2, this is derived from the Red book but
> evidently
> > > isn't the same thing, otherwise MS would have that too!
> > >
> > > 3 The ITSEC FC2 rating only applies to NT WS and SRV versions
> 3.51.
> > >
> > > 4 It was not clear if a standard NT 3.51 release could be FC2
> compliant or
> > > whether additional components were necessary. Reading between the
> lines of
> > > the marketing blather I think the latter is the case, comments?
> > >
> > > 5 It's not clear whether or not they've passed the European E3
> > > requirements. The implication was that if you pass FC2 you are
> also E3
> > > compliant as they are the same thing. Hmmmm.
> > >
> > > David
> > >
> > > ps Anyone know anything about Microsoft's slated firewall product.
> >
> > My understanding is that only NT 3.5 (not 3.51) Workstation and
> Server
> > have been evaluated for C2 Orange Book (Stand alone workstation).
> This
> > requires the removal of both the floppy drive and the NIC. Hard to
> > imagine a use for a server without a NIC, but ...
> >
> > One of the major deficiencies is the lack of a secure (from
> tampering by
> > the system administrator) auditing capability.
> >
> > I would be interested in any info on NT 3.51 or 4.0 security
> evaluations.
> >
> > Vern Williams
|
|
