[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Protecting Web servers (was: Moscowchannel.com hack)

>     Could you illuminate me on this subject please? I am working with a
>potential client who may need a fairly secure web server.

Years ago, the government published some criteria for highly secure
systems, notably the TCSEC or "Orange Book," which described requirements
for protecting classified information on a timesharing system with
uncleared users. Several vendors managed to build such systems, though very
few were judged secure enough to really protect classified data from
uncleared users.

However, the underlying mechanisms of "mandatory access control" do manage
to block a range of sophisticated attacks against the host computer. These
are the systems given the various B and A ratings: B1, B2, B3, A1 (in
ascending order of security). Also-ran systems that can keep honest people
from tripping over one another were given "C" ratings, though "C2" is all
you see any more.

A few vendors are putting Web servers and such on systems with mandatory
protection. I've heard talk of it from SecureWare, HP, Harris, and AT&T
using B1 or B1-like systems. Pardon the plug, but our Sidewinder also hosts
a protected Web server and uses mandatory protection to prevent Internet
attacks from damaging it.

In practice, I've found that most customers just want to demonstrate "due
diligence" regarding security. They pick up whatever's popular in the
marketplace that has some pretention of strong security ("We're C2 rated by
the government!!"). It's a rare customer that actually takes the time to
look at the security issues and consider whether they might need what
mandatory protection provides.

[email protected]             secure computing corporation