We are discussing the US government classification of security levels --
DoD levels pertaining to the "Orange Book", written by the US Department of
Defense, and NSA criteria pertaining to the "Red Book". To be specific,
Microsoft requested a C2 certifiable security level from-specifically-the
DoD. This was a publicity snow job, obviously, but it was still from the
US DoD. I, absolutely think that better, more robust, standards should be
devised for the public sector regarding security.
What you say may be true of other nations, however.
-----Original Message-----
From: Michael.Owen [SMTP:[EMAIL PROTECTED]]
Sent: Wednesday, June 23, 1999 5:04 AM
To: firewalls; David.Markle
Cc: Michael.Owen; Peter.Kunz
Subject: RE: C2 Security
Hello,
> This discussion on C2 is based on certified vs. certifiable. When
> Microsoft stated their OS was C2 Certified, what they really meant was
> it
> was CERTIFIABLE to a DOD, (Department of Defense), C2 level of
> security.
Well, yes and no. It was, in fact, certified to an E3 level in the ITSEC
scheme, and the sections which were certified were those which were
contained in a "Functionality class" which contains the featured required
for an old-style TCSEC certification. (TCSEC certification are no longer
being performed - the US is pushing Common Criteria now.)
(Were there no network requirements for an TCSEC C2 certification?)
And it wasn't looked at by the DOD - I think it was Logica which
performed the evaluation. The UK ITSEC certification body (made up of
of CESG and the DTI) then evaluated their report, and awarded a
certification.
CESG is the UK equivalent of the NSA, I suppose.
> To
> actually BE CERTIFIED, you have to submit an architecture proposal to
> the
> DOD for certification. Then once approved (certified), its a nightmare
> to
> make any type of modifications to your network architecture without
> long
> drawn out requests.
This is also very, very true with ITSEC certification. If you have an NT
Box running in a certified configuration, you won't be able to put any
released patches on it unless they pass through the Certificate
Maintenance Scheme. And getting certification does, in fact, take a lot of
work.
> Generally, only Government operations go through
> this
> pain staking procedure, (Air Force, CIA, blah, blah). The public
> sector
> does not???
Not really true, you should check out the products listed at
http://www.itsec.gov.uk
(Or you could check out our website. ;-)
cheers,
Michael
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
<< File: RE_ C2 Security.TXT >>
application/ms-tnef
