art@MITRE.ARPA (Art McClinton) (09/05/86)
Can anyone tell me how one can get official information concerning the security certification of various versions of VMS? Will this certification be for only certain VAX processors? I keep hearing different things, but need a reliable (read that not a DEC salesman's word) source. responses may be sent to ART@MITRE.ARPA Sincerely, - Arthur T. McClinton Jr. , phone: (703) 883-6356 The MITRE Corporation, 1820 Dolley Madison Blvd. Mail Stop Z305, Mc Lean, VA 22102
vtcf@NCSC.ARPA (Williams) (09/12/86)
You can verify the C2 rating of VMS 4.3 by calling the National Computer Secut[24~rity Center at (301) 859-4458. VAX/VMS was added to their Evaluated Products List as of July 30, 1986. This information was extracted from Dec[24~[24~EC liturature. Jan Crane
art@MITRE.ARPA (Art McClinton) (09/14/86)
Thanks for the information. I did call them and they did verify that not all hardware running VMS 4.3 was evaluated and rated C2. For example the micro VAX was not. Each hardware type requires an evaluation. It also only applies to VMS 4.3. Not 4.3 and above as some DEC sales would like you to believe. One needs the Evaluated Products List itself to understand the caveates. Thus it is incorrect to say that VAX/VMS was added to the EPL. The correct statement would be that VAX/VMS version x.xx for the following VAX computers xxxxxxx was added to the EPL. - Arthur T. McClinton Jr., (703) 883-6356 The MITRE Corporation, Mail Stop Z305 1820 Dolley Madison Blvd. McLean, VA 22102
lsmith.pasa@XEROX.COM (11/25/86)
Art: We too are interested in VMS certification, and would appreciate any info you found out. Leigh Smith Vista Labs (Xerox Special Information Systems) P.O. Box 5608 Pasadena, CA 91107
art@MITRE.ARPA (Art McClinton) (11/26/86)
VMS 4.3 has been certified at a C2 level when run on a VAX 11/xxx or a VAX 8600.
There were talks at S.F. DECUS on the methods used by DEC to certify at this
level. The NCSC (government agency that certifies) also gave a talk concerning
security certification. If you are interested in the talks, you can buy a
cassette tape of the talk.
Vendor is Chesapeake Audio/Video Communications (301)796-0040.
The talks were:
V150 Digital's Secure System Development
V198 Security Testing of VAX/VMS
S013 Security Evaluation Howard Israel National Computer Security Center
(not taped)
The MicroVAX II was not submitted for C2 as the manual set does not contain
the required manuals.
It should also be noted that the C2 level is reached without any installed
layered products. The installation of privileged images negates the automatic
C2 certification. Each privileged program must be examined. One such program
that will possibly make it difficult to maintain the certification is DECnet.
Both DEC and NCSC were careful to point out that the C2 certification is for
only single CPU systems which were not members of a cluster or a DECnet network.
This is not to imply that Clusters or DECnet networks can not made to be C2 or
above, they just are not automatically classed as such.
*
*---Art
*
*Arthur T. McClinton Jr. ARPA: ART@MITRE.ARPA
*Mitre Corporation MS-Z305 Phone: 703-883-6356
*1820 Dolley Madison Blvd Internal Mitre: ART@MWVMS or M10319@MWVM
*McLean, Va. 22102 DECUS DCS: MCCLINTON
*