[H-GEN] Hmmmm - who's paranoid? ;)

Andrae Muys A.Muys at mailbox.uq.edu.au
Mon Feb 16 20:54:49 EST 1998 

On Tue, 17 Feb 1998, Robert Brockway wrote:

> On Tue, 17 Feb 1998, Jason Parker wrote:
> 
> > [4] : *THE* reference for computer security.  Defines the famous
> >       C3, C2, C1 security levels that NT weenies are so fond of
> >       touting.  For reference, some unixes, with work, manage a C3
> >       rating, if memory serves.  The ratings go all the way to A1,
> >       where it takes more time to document the code, than to write
> >       it.
> 
> NT scored C2 if it isn't connected to a network.  If it is, I don't think 
> it qualifies for a secure rating.  I believe some Unicies have received C2
> accreditation, but I may be wrong.

OK, 

NT 3.51 on a Compac (Presario IIRC), with the floppy drive removed and no
NIC.  With a large number of services disabled in the regestry, basically
it becomes completely unusable for anyone other then admin (ok so that
almost qualifies as a pun :).  Under this config' NT qualified as C2
Certified.  The trick here is that M$ is "in the process" of certifying
NT with the useful stuff added back, they've been "in the process" for
quite some time now :).

Note that this leaves NT3.51 in _any other comfiguration_ without a
certification.  NT4.0 would also have to be certified seprately, however
as the certification for NT3.51 was only a marketing gesture, don't hold
your breath.

>From what I have read of the orange and red books Linux would probably be
usable after being tied down suitably to match a C1 rating.  I don't have
enough knowledge to know if it could obtain C2.  I do know that a couple
of unixes have been given B1 after *very* signifigant reworking, recoding,
and long after the hardware they ran on was horribly out of date.

And of course it is the skill and experience of the system and security
administrators/operators that is the single limiting factor in the over
all security of a system.  So except for a few (mostly defense and state)
installations, the whole certification system is bunk.

Not really surprising actually as the whole system was designed for those
defense and state sites, and never intended to be used in the commercial
arena.  This stuff really is worse then benchmarking.

Andrae Muys

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Andrae Muys              "I have no wish to recite ... stratagems, for they
andrae at humbug.org.au     have all the same end in view, which is, to oblige
My stuff, Linux stuff        the enemy to make unnecessary marches in favor 
http://www.uq.edu.au/~cmamuys/   of our own designs." - Fredrick the Great.


----------------------- HUMBUG General List --------------------------------
echo "unsubscribe general" | mail majordomo at humbug.org.au # To Unsubscribe

More information about the General mailing list