From: smith@sctc.com (Rick Smith)
To: snow <snow@smoke.suba.com>
Message Hash: 5fa1a01b61e2240171eac3d8e9d96a92b1f0b54df71c2ed0013aaa0659d5c479
Message ID: <v01540b05ae5385ae910d@[172.17.1.61]>
Reply To: N/A
UTC Datetime: 1996-09-04 22:36:01 UTC
Raw Date: Thu, 5 Sep 1996 06:36:01 +0800
From: smith@sctc.com (Rick Smith)
Date: Thu, 5 Sep 1996 06:36:01 +0800
To: snow <snow@smoke.suba.com>
Subject: Protecting Web servers (was: Moscowchannel.com hack)
Message-ID: <v01540b05ae5385ae910d@[172.17.1.61]>
MIME-Version: 1.0
Content-Type: text/plain
> Could you illuminate me on this subject please? I am working with a
>potential client who may need a fairly secure web server.
Years ago, the government published some criteria for highly secure
systems, notably the TCSEC or "Orange Book," which described requirements
for protecting classified information on a timesharing system with
uncleared users. Several vendors managed to build such systems, though very
few were judged secure enough to really protect classified data from
uncleared users.
However, the underlying mechanisms of "mandatory access control" do manage
to block a range of sophisticated attacks against the host computer. These
are the systems given the various B and A ratings: B1, B2, B3, A1 (in
ascending order of security). Also-ran systems that can keep honest people
from tripping over one another were given "C" ratings, though "C2" is all
you see any more.
A few vendors are putting Web servers and such on systems with mandatory
protection. I've heard talk of it from SecureWare, HP, Harris, and AT&T
using B1 or B1-like systems. Pardon the plug, but our Sidewinder also hosts
a protected Web server and uses mandatory protection to prevent Internet
attacks from damaging it.
In practice, I've found that most customers just want to demonstrate "due
diligence" regarding security. They pick up whatever's popular in the
marketplace that has some pretention of strong security ("We're C2 rated by
the government!!"). It's a rare customer that actually takes the time to
look at the security issues and consider whether they might need what
mandatory protection provides.
Rick.
smith@sctc.com secure computing corporation
Return to September 1996
Return to “smith@sctc.com (Rick Smith)”
1996-09-04 (Thu, 5 Sep 1996 06:36:01 +0800) - Protecting Web servers (was: Moscowchannel.com hack) - smith@sctc.com (Rick Smith)