Great Circle Associates Firewalls
(July 1994)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: C2, etc --
From: Marcus J Ranum <mjr @ tis . com>
Date: Tue, 26 Jul 94 13:23:55 EDT
To: firewalls @ GreatCircle . COM, ted @ gw . lsli . com

[I've reformatted text for readability]
>From: ted @
 gw .
 lsli .
>Hold the phone there cheif. As I recall AIX 3 exceeds the Department of
>Defence  C2 security rating. 

	Systems are not "rated" with orange book digraphs; they are
"evaluated."  The other important thing about orange book digraphs
is that the only thing that means anything is whether the product
has been through evaluation or not. Lots of vendors sell systems
that are "able to be evaluted at XX" or "designed to meet XX level"
which means nothing. A digraph only has meaning if the system in
that specific configuration has actually been evaluated by NCSC.
It's like saying, "this car is designed to be reliable for 500,000
miles" versus "this car has been *tested* and has worked for 500,000

	C2 basically has a bunch of stuff in it that is pretty
much par for the course, UNIX-security-wise. Logging, various
audit capabilities, password expiration, and so on. It's not
until you get to B2 and higher systems that you get formal
penetration testing, minimal implementation, and some of the
really tough stuff like covert channel analysis. More to the
point, all this trusted system stuff is designed to protect a
host in a multi-level environment. For a firewall, unless you
let users log on to it [bad idea!] it doesn't buy you much,
since the firewall's just running a lot of network daemons. I
suppose that multilevel systems could help you if you ran
sendmail in its own permissions domain, but you would need to
likely bang on sendmail to make it work on a multilevel system.
This would be interesting, of course -- but C2 doesn't have
all that stuff anyhow.

	C2 (or any orange book digraph) also doesn't mean much
if the capabilities are disabled. Most UNIXes these days have
"designed to meet C2 requirements" capabilities, and the vendors
ship the systems with the C2 stuff turned off, and the administrators
never turn it on. So having it doesn't mean much.

	Does Portus take advantage of any of the C2+ capabilities of the
system? [I ask because apparently you work for them?]

>IBM spent a truckload of money fixing the security holes in UNIX. IBM's
>research division has been using a firewall (LSLI's PORTUS) based upon AIX
>to successfully protect their division from intruders since 1988. That in
>itself is remarkable considering their high profile.

	Fixing security holes is always a good thing to see vendors
doing -- it sure is encouraging! We've found that it's problematic to
rely on the on-host application software, which is the basis for our
approach of keeping users off the machine and dramatically restricting
the number of network services that outsiders can connect to.


Indexed By Date Previous: Re: Questions about security of Frame Relay networks.
From: tdn @ tdn . xyplex . com (Thomas D. Nadeau)
Next: Revise: One Way Traffic
From: "ron fitzherbert" <ron_fitzherbert @ ed . gov>
Indexed By Thread Previous: Re: Announcing Academic-Firewalls Mailing List (re: University networking)
From: Brent Chapman <brent @ mycroft . GreatCircle . COM>
Next: [no subject]
From: Brent Chapman <brent @ mycroft . GreatCircle . COM>

Search Internet Search