home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Internet Tools (InfoMagic)
/
Internet Tools.iso
/
security
/
rainbow-series
< prev
next >
Wrap
Internet Message Format
|
1994-03-07
|
11KB
Path: wzv.win.tue.nl!news.win.tue.nl!tuegate.tue.nl!news.nic.surfnet.nl!sun4nl!EU.net!howland.reston.ans.net!vixen.cso.uiuc.edu!sdd.hp.com!ihnp4.ucsd.edu!pacbell.com!decwrl!decwrl!waikato!comp.vuw.ac.nz!gcs.co.nz!dave
From: dave@gcs.co.nz (David Carmine)
Subject: Responces to Post about the 'Rainbow Series'
Organization: GCS Limited, Wellington, New Zealand
Date: Mon, 7 Mar 1994 03:21:25 GMT
Message-ID: <CM9ynr.6FC@gcs.co.nz>
Followup-To: dave@gcs.co.nz
Keywords: security Rainbow
Lines: 219
From a post I did last week about the Rainbow Series, I hope the
follwing is useful, as this is some of the excerpts from
what I recieved. Thank you to all those who provided plenty of
information.
-----stuff cut out--------
Internet E-mail: cert@cert.org
Telephone: 412-268-7090 24-hour hotline:
CERT personnel answer 8:30a.m.-5:00p.m. EST(GMT-5)/EDT(GMT-4),
on call for emergencies during other hours.
==============================================================================
COMPUSEC DOCUMENTS February 1993
DISTRIBUTION POLICY: To receive one complimentary copy of the following
publications, call or write the INFOSEC Awareness Office as follows:
INFOSEC Awareness Division
ATTN: X711/IAOC
Ft. George G. Meade, MD 20755-6000
(410) 766-8729
Additional copies can be ordered from the Government Printing Office.
WRITTEN REQUESTS:
Superintendent of Documents
U.S. Government Printing Office
Washington, DC 20402
PHONE REQUESTS
(202) 783-3238
Hours: 0800-1600 (Mastercard, VISA, CHOICE)
DoD Trusted Computer System Evaluation Criteria
(DoD 5200.28 STD) (Orange Book)
GPO STOCK NUMBER: 008-000-00461-7
COST: $6.00
DoD Password Management Guidelines
(CSC-STD-002-85) (Green Book)
GPO STOCK NUMBER: 008-000-00443-9
COST: $1.75
Guidance for Applying the DoD Trusted Computer
System Evaluation Criteria in specific
Environments (CSC-STD-003-85) (Yellow Book)
GPO STOCK NUMBER: 008-000-00442-1
COST: $1.00
Technical Rationale Behind CSC-STD-003-85:
Computer Security Requirements (CSC-STD-004-85)
(Yellow Book)
GPO STOCK NUMBER: 008-000-00441-2
COST: $2.00
Advisory Memorandum on Office Automation
Security Guideline (NTISSAM COMPUSEC/1-87)
(White Document)
NOT AVAILABLE FROM GPO
A Guide to Understanding Audit in Trusted
Systems (NCSC-TG-001, Version-2) (Tan Book)
GPO STOCK NUMBER: 008-000-00508-7
COST: $2.00
Trusted Product Evaluations - A Guide for Vendors
(NCSC-TG-002, Version-1) (Bright Blue Book)
GPO STOCK NUMBER: 008-000-00569-9
COST: $2.50
A Guide to Understanding Discretionary Access
Control in Trusted Systems (NCSC-TG-003, Version-1)
(Orange Book)
GPO STOCK NUMBER: 008-000-00539-7
COST: $2.00
Glossary of Computer Security Terms
(NCSC-TG-004, Version-1) (Aqua Book)
GPO STOCK NUMBER: 008-000-00522-2
COST: $3.25
Trusted Network Interpretation (NCSC-TG-005,
Version-l) (Red Book)
GPO STOCK NUMBER: 008-000-00486-2
COST: $13.00
A Guide to Understanding Configuration
Management in Trusted Systems (NCSC-TG-006,
Version 1) (Orange Book)
GPO STOCK NUMBER 008-000-00507-9
COST: $2.00
A Guide to Understanding Design Documentation
in Trusted Systems (NCSC-TG-007, Version 1)
(Burgundy Book)
GPO STOCK NUMBER 008-000-00518-4
COST: $2.25
A Guide to Understanding Trusted Distribution
in Trusted Systems (NCSC-TG-008, Version 1) (Lavender Book)
GPO STOCK NUMBER: 008-000-00536-2
COST: $2.00
Computer Security Subsystem Interpretation of
the Trusted Computer System Evaluation Criteria
(NCSC-TG-009) (Venice Blue Book)
GPO STOCK NUMBER: 008-000-00510-9
COST: $2.25
Trusted Network Interpretation Environments
Guideline -- Guidance for Applying the Trusted
Network Interpretation (NCSC-TG-011, Version 1)
GPO STOCK NUMBER: 008-000-00566-4
COST: $4.00
Rating Maintenance Phase Program Document
(NCSC-TG-013, Version 1) (Hot Pink Book)
GPO STOCK NUMBER: 008-000-00542-7
COST: $5.00
Guidelines for Formal Verification Systems
(NCSC-TG-014) (Purple Book)
GPO STOCK NUMBER: 008-000-00540-1
COST: $2.00
A Guide to Understanding Trusted Facility
Management (NCSC-TG-015, Version 1)
(Brown Book)
GPO STOCK NUMBER: 008-000-00560-5
COST: $3.50
Guidelines for Writing Trusted Facility
Manuals (NCSC-TG-0l6, Version 1)
(Yellow-Green Book)
NOT AVAILABLE FROM GPO
A Guide to Understanding Identification and
Authentication in Trusted Systems
(NCSC-TG-017, Version 1) (Lt. Blue Book)
NOT AVAILABLE FROM GPO
A Guide to Understanding Object Reuse in
Trusted Systems (NCSC-TG-018) (Lt Blue Book)
GPO STOCK NUMBER: 008-000-00617-2
COST: $1.75
Trusted Product Evaluation Questionnaire
(NCSC-TG-019, Version 2) (Blue Book)
GPO STOCK NUMBER: 008-000-00613-0
COST: $3.00
Trusted UNIX Working Group (TRUSIX) Rationale for
Selecting Access Control List Features for the
UNIX* System (NCSC-TG-020A, Version 1) (Gray Book)
GPO STOCK NUMBER: 008-000-00559-1
COST: $4.25
Trusted Database Management System Interpretation
(NCSC-TG-021, Version 1) (Lavender Book)
GPO STOCK NUMBER: 008-000-00582-6
COST: $8.50
A Guide to Understanding Trusted Recovery in
Trusted Systems (NCSC-TG-022) (Yellow Book)
GPO STOCK NUMBER: 008-000-00611-3
COST: $4.00
A Guide to Understanding Data Remanence in
Automated Information Systems
(NCSC-TG-025, Version-2) (Green Book)
NOT AVAILABLE FROM GPO
A Guide to Writing the Security Features User's
Guide for Trusted Systems (NCSC-TG-026, Version 1)
(Hot Peach Book)
GPO STOCK NUMBER: 008-000-00593-1
COST: $2.25
A Guide to Understanding Information System
Security Officer Responsibilities for Automated
Information Systems (NCSC-TG-027, Version 1)
(Turquoise Book)
NOT AVAILABLE FROM GPO
Assessing Controlled Access Protection
(NCSC-TG-028, Version 1) (Violet Book)
GPO STOCK NUMBER: 008-000-00615-6
COST: $5.00
Status: updated Wed Aug 25 17:41:21 EDT 1993
-----stuff cut out--------
The Green and Red books can be obtained via anonymous ftp
from
csrc.ncsl.nist.gov
in directory pub/secpubs. The filenames are tg005.txt and std002.txt.
I don't believe the others are there, though...
-----stuff cut out--------
ftp to csrc.ncsl.nist.gov (129.6.54.11). The documents you want will
be in pub/nistpubs and pub/secpubs. You can use the index file to map
document titles to file names.
Regards Dave.
Path: wzv!svin02!tuegate.tue.nl!sun4nl!mcsun!uunet!cs.utexas.edu!asuvax!ukma!morgan
From: morgan@ms.uky.edu (Wes Morgan)
Newsgroups: alt.security
Subject: Re: covert channels
Message-ID: <1991Dec19.132858.21031@ms.uky.edu>
Date: 19 Dec 91 18:28:58 GMT
References: <kdHpH4S00j5uQodsNS@andrew.cmu.edu>
<kl02qdINN9e2@early-bird.think.com> <85834150@bfmny0.BFM.COM>
Organization: The Puzzle Palace, UKentucky
Lines: 82
X-Bytes: 3943
In article <85834150@bfmny0.BFM.COM> tneff@bfmny0.BFM.COM (Tom Neff) writes:
>
>I mean, if B2 requires covert channels be blocked, and N different
>products make the grade and get their little gold stars etc, then
>someone thinks of a radically clever new channel! -- are all the little
>gold stars automatically revoked until the gurus catch up, or what?
>
Whenever the subject of NCSC security ratings (B1,C2, et cetera) comes up,
there's one thing you need to remember. The NCSC certifications are given
on SPECIFIC hardware/software/physical environments. For instance, an
AT&T 3B2/600 running System V Unix 3.1.1 with the MLS add-on might be cer-
tified as B1 *in the testing laboratory*. As soon as I take that IDENTICAL
system and place it in my machine room, it drops all the way down to a
rating of D. Why? In this case, because access to the machine room (the
physical security environment) is not adequately controlled; the custodial
staff's passkeys will give them access. Software and hardware cannot, in
and of themselves, sustain a given rating (other than D, of course).
For instance, the NCSC guidelines indicate that no site participating in
Usenet can claim a security rating; the proof is left as an exercise for the
reader.
If you're interested in the NCSC criteria, you should get a set of the
"Rainbow Series". While the "Orange Book" is the most widely known, the
other volumes in the set are equally informative. Here's the list:
-- Department of Defense Trusted Computer System Evaluation Criteria
(TCSEC), aka the "Orange Book"
-- Computer Security Subsystem Interpretation of the TCSEC
-- Trusted Data Base Management System Interpretation of the TCSEC
-- Trusted Network Interpretation of the TCSEC
-- Trusted Network Interpretation Environments Guideline -- Guidance
for Applying the Trusted Network Interpretation
-- Trusted Unix Working Group (TRUSIX) Rationale for Selecting
Access Control List Features for the Unix System
-- Trusted Product Evaulations -- A Guide for Vendors
-- Computer Security Requirements -- Guidance for Applying the DoD
TCSEC in Specific Environments
-- Technical Rationale Behind CSC-STD-003-85: Computer Security
Requirements
-- Trusted Product Evaluation Questionnaire
-- Rating Maintenance Phase -- Program Document
-- Guidelines for Formal Verification Systems
-- A Guide to Understanding Audit in Trusted Systems
-- A Guide to Understanding Trusted Facility Management
-- A Guide to Understanding Discretionary Access Control in Trusted
Systems
-- A Guide to Understanding Configuration Management in Trusted Systems
-- A Guide to Understanding Design Documentation in Trusted Systems
-- A Guide to Understanding Trusted Distribution in Trusted Systems
-- Department of Defense Password Management Guideline
-- Glossary of Computer Security Terms
A complete set may be obtained, at no cost, by contacting:
INFOSEC Awareness Office
Department of Defense/National Security Agency
Attn: S332
9800 Savage Road
Ft. George G. Meade, MD 20755-6000
Phone: (301) 688-8742
If you're serious about security (or just want to get down in the bowels of
the topic), I'd recommend getting this series. The reading does get a bit
tedious, but you'll develop a keen awareness of security needs/problems. In
addition, you'll be placed on their mailing list for new volumes in the series,
as well as updates and conference/seminar annoucements.
I understand that there is a parallel volume in Great Britain, developed by
the British analogue of the NCSC; however, I have not seen it. If anyone
knows how to obtain a copy (either online or hard copy), please let me know.
Wes
--
morgan@ms.uky.edu |Wes Morgan, not speaking for| ....!ukma!ukecc!morgan
morgan@engr.uky.edu |the University of Kentucky's| morgan%engr.uky.edu@UKCC
morgan@ie.pa.uky.edu |Engineering Computing Center| morgan@wuarchive.wustl.edu