Hello,
> This discussion on C2 is based on certified vs. certifiable. When
> Microsoft stated their OS was C2 Certified, what they really meant was
> it
> was CERTIFIABLE to a DOD, (Department of Defense), C2 level of
> security.
Well, yes and no. It was, in fact, certified to an E3 level in the ITSEC
scheme, and the sections which were certified were those which were
contained in a "Functionality class" which contains the featured required
for an old-style TCSEC certification. (TCSEC certification are no longer
being performed - the US is pushing Common Criteria now.)
(Were there no network requirements for an TCSEC C2 certification?)
And it wasn't looked at by the DOD - I think it was Logica which
performed the evaluation. The UK ITSEC certification body (made up of
of CESG and the DTI) then evaluated their report, and awarded a
certification.
CESG is the UK equivalent of the NSA, I suppose.
> To
> actually BE CERTIFIED, you have to submit an architecture proposal to
> the
> DOD for certification. Then once approved (certified), its a nightmare
> to
> make any type of modifications to your network architecture without
> long
> drawn out requests.
This is also very, very true with ITSEC certification. If you have an NT
Box running in a certified configuration, you won't be able to put any
released patches on it unless they pass through the Certificate
Maintenance Scheme. And getting certification does, in fact, take a lot of
work.
> Generally, only Government operations go through
> this
> pain staking procedure, (Air Force, CIA, blah, blah). The public
> sector
> does not???
Not really true, you should check out the products listed at
http://www.itsec.gov.uk
(Or you could check out our website. ;-)
cheers,
Michael
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
