[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Security: FreeBSD vs OpenBSD
%BTW, NT4 was C2 qualified when locked down with its networking guts
%removed. This was quite a few of your "generations" ago too. I
%have seen no
%documentation that anything else Microsoft distributes has
%been C2 qualified
%and I highly doubt I will any time soon. Just had to get that
%jab in there. =)
This is exactly what I mean about people not understanding the Orange
book. Having it's networking guts ripped out is a complete myth, and
anyone with an understanding of the book would realize that it is
totally irrelevant, but don't take my word for it:
"The evaluated configuration for Windows NT 4.0 Service Pack 6a with the
C2 Update includes any number of the Windows NT Server and/or the
Windows NT Workstation products, acting in any one of the following
roles, either stand-alone or connected via a physically protected
network consisting of zero or more Windows NT domains:
Microsoft Windows NT 4.0 Server product
. Primary Domain Controller (PDC);
. Backup Domain Controller (BDC);
. Non-Domain Controller (domain member); and
. Non-Domain Controller (non-domain member).
Microsoft Windows NT 4.0 Workstation product
. Domain member; and
. Non-domain member."
-FINAL EVALUATION REPORT
Windows NT Workstation and Server
Version 4.0, Service Pack 6a
and as far as it being current goes? well the latest evaluation was
completed on 11-99, considering how long it takes for an evaluation to
be completed, I assume we will see one for Win2k late this year/early
next. As an informal evaluation will tell you that Win2k effectively
meets the C2 TCSEC.
And other products Microsoft makes? MS-SQL Server 8.0 also received the
C2 rating on August 2000, but I am sure it had it's networking guts
removed as well. ;)
I never said worship the guide, in fact many fine systems like Argus'
DBAC, SELinux's Flask, YGuard, and AITS's inherited RBAC are not covered
by DOD-5200.28-STD, yet are all fine systems. The Orange book is flawed
in many ways for mainstream operating systems, it's over reliance on the
Bell-La Padula security model, while reasonable effective from a
security model is both incomplete and difficult to implement by anyone
other then experts, (a bad quality in an OS aimed at the general
"Security is not defined by adhering to rules laid out in a book.
Security is not a product you can sell.
Security does not come in a box wrapped up in bows."
Security is verifiable not voodoo magick pedaled by "experts"
and UNIX is an operating system that was created by AT&T later sold to
SCO and renamed SCO UNIX-WARE, UN*X is UNIX, BSD, Solaris, Xenix, Sinix,
AIX, HP-UX, UTS, etc, etc, etc and now a days even often includes the
bastard child Linux. ;) (*nix is for people who don't know any better)
%"Life is far too important a thing ever to talk seriously about."
%- Oscar Wilde (1854 - 1900)
%Send mail w/ subject 'send public key' or query for (0x251A4B18)
%Fingerprint = A642 F299 C1C1 C828 F186 A851 CFF0 7711 251A 4B18
%PS. Its UNIX. Not *nix. Not UN*X. This isn't the name of G*D
%for crying out