1996-03-22 - Re: NT’s C2 rating

Header Data

From: Mark Aldrich <maldrich@grctechs.va.grci.com>
To: cypherpunks@toad.com
Message Hash: d70d9063a46673216caa5ad039a8795bca8140bbd5a497388cbc3182c6494f3b
Message ID: <Pine.SCO.3.91.960321172412.18669A-100000@grctechs.va.grci.com>
Reply To: <199603211813.KAA15750@spike.hnc.com>
UTC Datetime: 1996-03-22 12:36:59 UTC
Raw Date: Fri, 22 Mar 1996 20:36:59 +0800

Raw message

From: Mark Aldrich <maldrich@grctechs.va.grci.com>
Date: Fri, 22 Mar 1996 20:36:59 +0800
To: cypherpunks@toad.com
Subject: Re: NT's C2 rating
In-Reply-To: <199603211813.KAA15750@spike.hnc.com>
Message-ID: <Pine.SCO.3.91.960321172412.18669A-100000@grctechs.va.grci.com>
MIME-Version: 1.0
Content-Type: text/plain


On Thu, 21 Mar 1996, David Loysen wrote:

> Ain't nothing fine about that print. An operating system or piece of
> hardware may be C2 certifiable. But only a complete system in a specific
> configuration can be certified as C2 compliant. The way I read the orange
> book, no system with a network connection can ever be C2. For that matter a
> system can't get C2 unless it is in an area where you can control and
> monitor physical access to the system.

I have to disagree.  C2 most certainly can be given to a network product.  
That's why we have the TNI (Trusted Network Interpretation) of the 
criteria.  There are actually A1 network products on the EPL.  I've 
personally worked on both C2 and B1 network and database product 
evaluations, for example.

Also, evaluation is given to commercial products, not "complete 
systems."  A complete system goes through certification and 
accreditation, not evaluation against the Criteria.

Also, the physical security measures make no difference in regard to a C2 
rating.  A product can be C2 whether it's in a kiosk in a shopping mall, 
or inside of a SCIF.  The over-all security policy of the system dictates 
the right mix of software countermeasures (C2, B1, B2, ,etc.) and the 
physical countermeasures (public, locked room, not networked, in a SCIF).  
Normally, as you boost one side of the equation, you can lower the other.

In short, the criteria is used to rate the level of trust that can be 
placed in a given commercial product.  Sort of like a UL rating.  Once 
you buy it, though, the security posture in which you operate it is up to 
you.

------------------------------------------------------------------------- 
|      Liberty is truly dead              |Mark Aldrich                 | 
|    when the slaves are willing          |GRCI INFOSEC Engineering     | 
|     to forge their own chains.          |maldrich@grci.com            | 
|        STOP THE CDA NOW!                |MAldrich@dockmaster.ncsc.mil | 
|_______________________________________________________________________| 
|The author is PGP Empowered.  Public key at:  finger maldrich@grci.com |
|    The opinions expressed herein are strictly those of the author     | 
|         and my employer gets no credit for them whatsoever.           | 
-------------------------------------------------------------------------






Thread