home *** CD-ROM | disk | FTP | other *** search
- Path: sparky!uunet!dtix!darwin.sura.net!wupost!zaphod.mps.ohio-state.edu!cs.utexas.edu!hermes.chpc.utexas.edu!apas611
- From: apas611@chpc.utexas.edu (David Boles)
- Newsgroups: comp.os.os2.programmer
- Subject: Re: C2 Security
- Message-ID: <1992Jul24.201426.5137@chpc.utexas.edu>
- Date: 24 Jul 92 20:14:26 GMT
- References: <976@engcon.marshall.ltv.com> <terryk.711987309@cc.gatech.edu>
- Organization: The University of Texas System - CHPC
- Lines: 38
-
- In article <terryk.711987309@cc.gatech.edu> terryk@terminus.gatech.edu (Terry Kane) writes:
- >
- >Orange book ratings used in general computing are overkill.
- >Basically, I think that non-defense users are looking at two or three
- >categories: unsecure and generally secure. The protection that's
- >desired is protection against malicious or ignorant attacks on the
- >integrity of the system. ACLs on the file system and device drivers
- >provide this, and ACLs are provided at the C2 level.
- >
- >Hence - I want C2 from my operating system. I'll provide physical
- >security, and if anybody wants to steal my data by monitoring
- >electromagnetic emissions - Hey, more power to 'em.
-
- Sorry to disappoint, but C2 does not requires ACL's for devices. That
- is a B1 feature. C2 is the _minimal_ level of security that provides
- even a reasonable level of security in the face of an attack.
-
- Nevertheless, your point about orange book ratings typically being
- overkill is correct. Even something as "wimpy" as C2 can be extremely
- limiting in a shared computing environment. Unfortunately, Msoft is
- setting up NT as being a replacement for server-type OS's at large
- sites. As a result, I guess they felt that they would have to make
- some noise about security issues to sound like they knew what they
- were doing. However, they started saying C2 before they apparently
- knew what was involved, then backpedaled on it saying that the government
- (NCSC) was moving too slowly. Given that the pre-beta SDK just shipped
- doesn't even include the filesystem, we can all tell who didn't have
- their act together.
-
- It seems that security in the orange book sense doesn't make much sense
- for most folks however. It focuses on things like loss or alteration
- of information. While these things are certainly important, for most
- non-military related systems, attacks (malicious or inadvertant) that
- result in denial of service are just as important.
-
- Cheers,
-
- David Boles
-