Whenever, whatever, whoever, You posted about the NIAP and the NIST before. I had typed up a reply but I didn't get around to posting it. I was going to tell you last time that the DoD doesn't go to the NIAP to decide what is COE compliant. The NIAP and the NIST are not DoD agencies. The NSA is a DoD agency. If you have noticed the NSA has their own security enhanced version of Linux. I have some more info about the NIAP if you want it. The military goes to the CIO "Chief Information Officers" Council to get a list of authorized products.
I can tell you the use of Linux and other open source software is approved by the DOD and has been used for years. I have worked on many networks that use Red Hat, Apache, Samba, Snort and other open source products. I have one close friend who is currently an admin on a military Linux network, and another who uses Red Hat and SNORT every day to perform security duties. He is filling a security admin job. His shop is a network security shop. They are very picky about regulations and they would not be using open source software if it was not authorized. There are many networks on this Island that I have worked on that are very concerned with security and they have been and are currently using open source products. If you want to use M$ or open source software you always have to follow Common Operating Environment guidelines. The same goes for hardware. I happen to have instructions on this workstation for making a Red Hat 7.2 machine COE compliant. This means Red Hat Linux is authorized on DOD networks if you comply with the guidelines. There is a standard kernel that is mandatory. The use of a standard kernel is to provide a common base environment or a foundation for the open source architecture. We have to follow guidelines when it comes to what M$ updates we can load. We are not authorized to load every piece of software M$ puts out. We wouldn't want a few hundred thousand users to loose their network connection because we loaded a new M$ security update. Mass chaos because of M$ updates has become a not so uncommon occurrence. One last thing. I know the DoD has some confidence in the security of Linux. While I was in the Air Force one of my squadrons received the outstanding unit award for network security, four years in a row. I don't think this would have happened if our Red Hat boxes weren't authorized. But ya never know. I apologize if this turned into a long boring post. -Cody -----Original Message----- From: whenever [mailto:[EMAIL PROTECTED] Sent: Monday, June 30, 2003 5:16 AM To: [EMAIL PROTECTED] Subject: Re: [luau] If someone ask you about Linux... Don't believe everything you read from any news agency. Look at DoDD 8500.1, it supersedes DoD 5200.28-STD(Orange Book), read the whole thing and read section 4.17 more then once. http://www.dtic.mil/whs/directives/corres/pdf/d85001_102402/d85001p.pdf then go to http://niap.nist.gov can you find Linux there at all? Look under Validated Products or Products in Evaluation. If your answer is 'NO", then it's not happening yet. Don't be surpised when you see w2k there with EAL4 (C2 in OB). On Monday 30 June 2003 04:27 am, ronal wrote: > If someone ask you what is happening with Open Source and Linux? Ask the > DoD... > > http://www.forbes.com/2003/06/20/cz_eb_0620linux.html _______________________________________________ LUAU mailing list [EMAIL PROTECTED] http://videl.ics.hawaii.edu/mailman/listinfo/luau
