[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: NT's C2 rating
On Thu, 21 Mar 1996, David Loysen wrote:
> Ain't nothing fine about that print. An operating system or piece of
> hardware may be C2 certifiable. But only a complete system in a specific
> configuration can be certified as C2 compliant. The way I read the orange
> book, no system with a network connection can ever be C2. For that matter a
> system can't get C2 unless it is in an area where you can control and
> monitor physical access to the system.
I have to disagree. C2 most certainly can be given to a network product.
That's why we have the TNI (Trusted Network Interpretation) of the
criteria. There are actually A1 network products on the EPL. I've
personally worked on both C2 and B1 network and database product
evaluations, for example.
Also, evaluation is given to commercial products, not "complete
systems." A complete system goes through certification and
accreditation, not evaluation against the Criteria.
Also, the physical security measures make no difference in regard to a C2
rating. A product can be C2 whether it's in a kiosk in a shopping mall,
or inside of a SCIF. The over-all security policy of the system dictates
the right mix of software countermeasures (C2, B1, B2, ,etc.) and the
physical countermeasures (public, locked room, not networked, in a SCIF).
Normally, as you boost one side of the equation, you can lower the other.
In short, the criteria is used to rate the level of trust that can be
placed in a given commercial product. Sort of like a UL rating. Once
you buy it, though, the security posture in which you operate it is up to
you.
-------------------------------------------------------------------------
| Liberty is truly dead |Mark Aldrich |
| when the slaves are willing |GRCI INFOSEC Engineering |
| to forge their own chains. |[email protected] |
| STOP THE CDA NOW! |[email protected] |
|_______________________________________________________________________|
|The author is PGP Empowered. Public key at: finger [email protected] |
| The opinions expressed herein are strictly those of the author |
| and my employer gets no credit for them whatsoever. |
-------------------------------------------------------------------------