miorelli@pwa-b.UUCP (BoB Miorelli) (07/17/89)
Are any Unix systems certified as `secure' by the government? I'm looking for versions and level of security (such as C2, B1, etc.) Any info would be GREATLY appreciated. -- -->BoB Miorelli, Pratt & Whitney Aircraft also, H & R Block tax preparer and Instructor pwa-b!miorelli
gwyn@smoke.BRL.MIL (Doug Gwyn) (07/19/89)
In article <310@pwa-b.UUCP> miorelli@pwa-b.UUCP (BoB Miorelli) writes: >Are any Unix systems certified as `secure' by the government? I'm >looking for versions and level of security (such as C2, B1, etc.) NCSC has rated a special version of Gould's UTX/32 at the C2 level. AT&T's System V/MLS Release 1.1 is currently being evaluated at the B1 level and may be certified this fall. Trusted Information Systems's Secure Xenix Version 1.1 is also under evaluation, for level B2, but will probably not be certified until mid-1990. System V/MLS was being demonstrated at the recent USENIX conference in Baltimore. It looked really nice, and has one additional feature that made my mouth water: An attached 630 MTG terminal was downloaded with trusted software that maintained multiple window layers AT DIFFERENT SECURITY LEVELS and properly constrained the otherwise free transfer of information among them by the terminal's built-in mouse-driven text editing features. I hope that in the not too distant future, MLS features will be provided as configurable options packaged with the standard AT&T UNIX source releases. There are corporate uses for enforced security levels outside the government/military.
whisenhu@addamax.UUCP (07/20/89)
The only UNIX that currently exists on the Evaluated products list for the NCSC is Gould's UTX/32S (now Encore). It is rated at the C2 level. There are several other UNIX systems in evaluation that provide security at the B level, although none are on the evaluated products list. (yet) We have ported our B1st kit (B1 level) to several different UNIX systems both BSD and System V derived. Depending on the vendor, some of these will be submitted for evaluation and (hopefully) eventaully reach the evaluated products list. Gary Whisenhunt UUCP: {ihnp4, uunet}!uiucuxc!addamax!whisenhu Phone 1-217-359-0700 INTERNET: whisenhu%addamax@uxc.cso.uiuc.edu BITENET: whisenhu%addamax@uxc.cso.uiuc.edu MILNET: whisenhu%addamax@uiucuxc.arpa CSNET: whisenhu%addamax%uxc@uiuc.csnet US Mail: Addamax Corp, 2009 Fox Drive, Champaign, IL 61820
abcscnge@csuna.csun.edu (Scott "The Pseudo-Hacker" Neugroschl) (07/20/89)
In article <310@pwa-b.UUCP> miorelli@pwa-b.UUCP (BoB Miorelli) writes:
=
=Are any Unix systems certified as `secure' by the government? I'm
=looking for versions and level of security (such as C2, B1, etc.)
=Any info would be GREATLY appreciated.
=
I believe Gould has a C2 Unix.
Also, a few months back, Government Computer News ran an article about an
A1(!) kernel that DEC either was working on or certified or both. It claimed
that Unix could run on top of this kernal. Believe or not.
Scott
--
Scott "The Pseudo-Hacker" Neugroschl
UUCP: ...!sm.unisys.com!csun!csuna.csun.edu!abcscnge
-- Beat me, Whip me, make me code in Ada
-- Disclaimers? We don't need no stinking disclaimers!!!
andrew@riddle.UUCP (Andrew Beattie) (07/20/89)
In article <310@pwa-b.UUCP> miorelli@pwa-b.UUCP (BoB Miorelli) writes: > >Are any Unix systems certified as `secure' by the government? I'm >looking for versions and level of security (such as C2, B1, etc.) The the good news: SCO UNIX 3.2 (Note that I said Unix not Xenix and 3.2 not 2.3) is designed to meet C2. The bad news: You can't buy it just yet, I'm looking at a beta copy. (but I guess that it will be available "real soon now" :-) ) Andrew
rcsmith@anagld.UUCP (Ray Smith) (07/20/89)
In article <310@pwa-b.UUCP> miorelli@pwa-b.UUCP (BoB Miorelli) writes:
=
=Are any Unix systems certified as `secure' by the government? I'm
=looking for versions and level of security (such as C2, B1, etc.)
=Any info would be GREATLY appreciated.
=
AT&T has their product, System V/MLS, in for evaluation at the NCSC for a
B1 certification.
In addition, a company called Addamax has products designed for B1
certification available for System V Release 3.0 and for BSD 4.3. If they
aren't already in the evaluation process, they will be soon. The person I
contacted there was MaryLou Hensley and she can be reached at 301-590-0090
for more information.
Disclaimer: I have no interest in either AT&T or Addamax; I do however, have
an interest in MLS systems and networks.
-Ray
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Ray Smith | UUCP: {uunet,aplcen,netsys,sundc}!anagld!rcsmith
Analytics, Inc. | ARPA: RCSmith@DOCKMASTER.ARPA or
Suite 200 | anagld!rcsmith@uunet.uu.net
9891 Broken Land Parkway |
Columbia, MD 21046 | Voice: (301) 381-4300 Fax: (301) 381-5173
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
ken@capone.gatech.edu (Ken Seefried iii) (07/20/89)
In article <310@pwa-b.UUCP> miorelli@pwa-b.UUCP (BoB Miorelli) writes: > >Are any Unix systems certified as `secure' by the government? I'm >looking for versions and level of security (such as C2, B1, etc.) >Any info would be GREATLY appreciated. > SecureWare here in Atlanta, GA, has secure Unix products based on A/UX, System V/386 and SCO Xenix. They will also port to custom hardware (they had just finished a port for Olivetti when I was there). They can be reached at +1 404 894 5170 or +1 404 876 4840 last I knew. Disclaimer: I did some consulting work for SecureWare, but I won't get any more by talking about them... ...ken ken seefried iii ...!{akgua, allegra, amd, harpo, hplabs, ken@gatech.edu masscomp, rlgvax, sb1, uf-cgrl, unmvax, ut-ngp, ut-sally}!gatech!ken
ronald@ibmpcug.UUCP (Ronald Khoo) (07/25/89)
In article <1038@riddle.UUCP> andrew@riddle.UUCP (Andrew Beattie) writes: > >SCO UNIX 3.2 (Note that I said Unix not Xenix and 3.2 not 2.3) >is designed to meet C2. _designed_to_meet_ ? Do you know if it will actually be *certified* before they sell it? (If so, I'll never buy it, secure un*x is a contradiction in terms :-) 8-) -- Ronald.Khoo@ibmpcug.CO.UK (The IBM PC User Group, PO Box 360, Harrow HA1 4LQ) Path: ...!ukc!slxsys!ibmpcug!ronald Phone: +44-1-863 1191 Fax: +44-1-863 6095 Disclaimer: With my opinion of PCs, ibmpcug probably disclaims knowledge of me!
burzio@mmlai.UUCP (Anthony Burzio) (07/27/89)
In article <11099@ibmpcug.UUCP>, ronald@ibmpcug.UUCP (Ronald Khoo) writes: >> _designed_to_meet_ ? Do you know if it will actually be *certified* >> before they sell it? >> > (If so, I'll never buy it, secure un*x is a contradiction in terms :-) 8-) Security on a UNIX system should be utterly optional. At first you should get a normal system without security from distribution. Later, you could then run a program, say called "Big Brother", that would modify things to add security... ********************************************************************* Tony Burzio * Doctor: Take this vial to the rest rooms... Martin Marietta Labs * Guru: Oh, you want a core dump? mmlai!burzio@uunet.uu.net * *********************************************************************
ziegler@lznv.ATT.COM (J.ZIEGLER) (07/31/89)
In article <574@mmlai.UUCP>, burzio@mmlai.UUCP (Anthony Burzio) writes: > Security on a UNIX system should be utterly optional. At first you > should get a normal system without security from distribution. Later, > you could then run a program, say called "Big Brother", that would > modify things to add security... > Actually, a secure computer system has to be secured at all times during its life, including installation and maintenance as well as normal operation. To do this, it would probably be best to have the secure system on the distribution medium, and have a normal installation put the secure system in place. Then a SEPARATE medium would have an "un-Big Brother" utility on it, that would turn off all the special security features. This way a secure system can be distributed and installed, with fewer opportunities for the system to be compromised. Those who don't want the extra security will have a little extra work to do at installation, but at least that's only a one-time problem. I do agree that all security should be optional. Joe Ziegler att!lznv!ziegler
car@trux.UUCP (Chris Rende) (08/04/89)
In article <10553@smoke.BRL.MIL>, gwyn@smoke.BRL.MIL (Doug Gwyn) writes: > In article <310@pwa-b.UUCP> miorelli@pwa-b.UUCP (BoB Miorelli) writes: > >Are any Unix systems certified as `secure' by the government? I'm > >looking for versions and level of security (such as C2, B1, etc.) Multics (Unix's father) has/had a B2 security rating. car. -- Christopher A. Rende Central Cartage (Nixdorf/Pyramid/SysV/BSD4.3) uunet!edsews!rphroy!trux!car Multics,DTSS,Unix,Shortwave,Scanners,StarTrek ...!sharkey!rphroy!trux!car Minix,PC/XT,Mac+,TRS-80 Model I: Buy Sell Trade "I don't ever remember forgetting anything." - Chris Rende