m19940@mwvm.mitre.org (Emily H. Lonsford) (06/29/90)
Chuck Hoffman of GTE Laboratories, Inc., writes:
" That also was about two years before the time that the Security group at
SHARE formed, which developed the specifications for the product which became
ACF2 in 1978. Simultaneously, IBM was secretly developing RACF."
My recollection is that RACF came before ACF2. David Chess can probably
clarify the exact date. Barry Schrager of SKK (the original developers of
ACF2) was a member of the SHARE committee that wrote the first security white
paper, on what an access control system should do. IBM's response, RACF, fell
far short of the mark - for one thing, in early releases it protected BY
EXCEPTION rather than BY DEFAULT. SKK decided they could do a better job, and
went off and wrote ACF2 on London Life's computer in Toronto. I did a survey
of the two packages in the 78-79 time frame and ended up choosing ACF2 for my
employer, an energy company.
"it became much more difficult for hackers who were not in the systems
programming groups to make significant intrusions into MVS systems. "
I think you meant to say that it requires knowledge of MVS. True, the
controls are there with ACF2, RACF and TopSecret to prevent non-sysprogs from
hacking into MVS. but how _well_ are they implemented? All it takes is one
privileged ID with a trivial password, or one unprotected APF library,
installation ID with the default password, etc. etc.
And you have to be cautious about the sysprogs. They have the knowledge and
the power to do lots of damage, just by accident.
"Computer Associates is in the process of raising the rating of ACF2 and Top
Secret from C2 to B1."
Is that what CA is telling you? I just looked in my April 1990 "Information
Systems Security Products and Services Catalog", a government publication, and
CA is not in the list of vendors in the evaluation process. The process
normally takes at least 2 years. Interestingly enough, IBM _is_ listed in the
evaluation process for MVS-ESA/RACF, aiming at a B level evaluation.
Currently MVS/XA with RACF, ACF2 or TopSecret is rated at C2. You might want
to get a copy of the catalog from your local GPO Bookstore. It has some
interesting information in it about lots of security products.
And just because the OS is evaluated at B1 doesn't mean _in your implemen-
tation_ that it's B1 secure. For one thing, any OS modifications (SVCs exits
etc.) invalidate the rating. Can you imagine MVS without add-ons?
"On Digital VAXs, the VMS system technically is C2, but in my opinion the
architecture is so cumbersome that systems managers have somejustification
when they say that you need system privileges all the time just to do a job.
Yes, it's C2, but so many people end up with privileges that it hardly
matters."
I agree that it's difficult to manage the privileges on VAX/VMS. But at least
DEC included C2 level protection in the OS, rather than making the user buy an
ADD-ON package to get security. Let's face it: without ACF2, RACF or
TopSecret, "MVS security" is an oxymoron.
To me, the worst problem is with UNIX's root account; there it's all or
nothing when it comes to privileges. There's no such thing as "separation of
duties." And so far the "more secure" versions of UNIX really haven't
addressed that.
As always, my opinions are my own, not necessarily those of my employer.
* Emily H. Lonsford
* MITRE - Houston W123 (713) 333-0922fasteddy@amarna.gsfc.nasa.gov (John 'Fast-Eddie' McMahon) (07/03/90)
CAH0@gte.com (Chuck Hoffman) writes...
: On Digital VAXs, the VMS system technically is C2, but in my opinion
:the architecture is so cumbersome that systems managers have some
:justification when they say that you need system privileges all the time
:just to do a job. Yes, it's C2, but so many people end up with privileges
:that it hardly matters.
I have gotten conflicting answers on this, so I'll ask again...
My understanding is that VMS 4.3 was the version rated at C2, and that
rating did not automatically carry over to later versions of VMS.
Hence, if you are running 4.3 you have (potentially) a C2 system. But
if you are running 4.4 through 5.4 you don't.
Can someone explain how these ratings apply when a system is upgraded ?
- ------------------------------------------------------------------------------
John "Fast Eddie" McMahon FASTEDDY@DFTNIC.GSFC.NASA.GOV
Code 930.4 - Advanced Data Flow Technology Office SDCDCL::FASTEDDY (SPAN)
NASA Goddard Space Flight Center in Greenbelt, MD (301) 286-2045
(Soon to be at TGV, Incorporated - MCMAHON@TGV.COM)
- ------------------------------------------------------------------------------
Disclaimer: These are my views. Although I am a NASA contractor, I do not
speak for NASA or ST Systems Corporation. Va guvf tybony ivyyntr
xabja nf gur argjbex, jr ner nyy cevfbaref... Or frrvat lbh...CAH0@gte.com (Chuck Hoffman) (07/03/90)
Emily H. Lonsford of Mitre writes:
"Is that what CA is telling you? I just looked in my April 1990
'Information Systems Security Products and Services Catalog', a government
publication, and CA is not in the list of vendors in the evaluation
process."
Her question relates to my comment that Computer Associates is "in the
process" of raising the rating of ACF2 and Top Secret from C2 to B1, which
will make hacking more difficult.
What CA is telling all of us is in the form of product announcements for
CA-ACF2 and CA-Top Secret. I have the ones for the MVS versions of these
products. There probably are also announcements for the VM versions, but
I haven't seen them. The announcements are dated February 15, 1990, but I
just got them in the mail recently. The announcements are almost
identical to each other, so I will quote parts of the CA-ACF2 MVS text:
"CA-ACF2 MVS Release 5.2 PTFs permit security operation following the
Department of Defense Trusted Computer System Evaluation Criteria (DOD
5200.28-STD) for a Mandatory Access Control (MAC) security system at the
B1 level."
"Available 3rd Quarter 1990 - Beta Test"
"In August 1989, CA filed proposals with the NCSC to have CA-ACF2
MVS, CA-ACF2 VM, CA-TOP SECRET MVS and CA-TOP SECRET VM formally evaluated
to ensure full compliance with the Department of Defense Trusted Computer
Systems Evaluation Criteria (DOD5200.28-STD) at a B1 level. Although CA
cannot guarantee that CA-ACF2 MVS will receive a B1 rating nor is it
possible for CA to provide a specific date for when a formal evaluation
will be completed, CA has worked successfully with the NCSC on numerous
occasions and completed several evaluations."
That's what they're saying. Evaluate it for yourself. Personally, I will
believe it when I see it. The announcement is sort of like telling people 's p
oint about the rating's not applying to an individual site's
implementation is well taken. The rating is for the PRODUCT, not for your
installation. For instance, if you give security privileges to large
numbers of people, you couldn't expect to call your installation "secure"
even if the product has a B1 rating. And who knows what your system
modifications might do?
Emily writes about the first copy of ACF2 being written at London Life in
Ontario. I can add that copy #2 went to Linda Vetter's installation at
GM; Linda was one of the chair people of the security committee at SHARE,
and later became a Vice President at SKK. Copy #3 came here, to GTE
Laboratories, in 1978. It was installed personally by Barry Schraeger, Eb
Klemmons, and Scott Kruger, the original "SKK." Several releases, and
years, later, I was having some difficulty getting an answer to a
technical question from SKK Tech Support. By then, they had a "Level 1"
and "Level 2" structure which was getting in the way. Finally, in
frustration, I said "Look, this product was installed on our system by
Barry, Scott, and Eb. Now it doesn't work, and it's impacting our
business. I want the installers back out here on site." We got INSTANT
attention.
Since we deinstalled the IBM systems last December, we probably have the
distinction of being the longest running ACF2 site to remove the product,
too.
I expect lively discussion at the CA Security and Audit conference in
Orlando this coming week. Unfortunately for me, the session concerning
new features is scheduled opposite one I will be giving (on granting
privileges to systems programmers!).
I thank Emily for her comments. Those certainly were interesting times.
- -Chuck
- - Chuck Hoffman, GTE Laboratories, Inc.
cah0@bunny.gte.com
Telephone (U.S.A.) 617-466-2131
GTE VoiceNet: 679-2131
GTE Telemail: C.HOFFMANTENCATI@NSSDCA.GSFC.NASA.GOV (SPAN Security Mgr) (07/03/90)
fasteddy@amarna.gsfc.nasa.gov (John 'Fast-Eddie' McMahon) writes... > I have gotten conflicting answers on this, so I'll ask again... > > My understanding is that VMS 4.3 was the version rated at C2, and that > rating did not automatically carry over to later versions of VMS. > Hence, if you are running 4.3 you have (potentially) a C2 system. But > if you are running 4.4 through 5.4 you don't. > > Can someone explain how these ratings apply when a system is upgraded ? You are correct in that VMS 4.3 was rated at C2 (Discretionary Access Controls). This was for VAX/VMS without DECnet. Subsequent versions do NOT automatically qualify for the C2 rating. This does not mean that the operating system is not secure (unless we're talking V4.4 which had a bug), but it means that the new release was never re-tested. VMS still meets the Orange Book criteria, it just lacks the formal certification. The NCSC is handling this problem with their RAting Maintenance Phase (RAMP) program. They are in the process of training the vendor community on the necessary rules and criteria for assuring that future releases of a product continue to meet the criteria under which the original rating was granted. The RAMP program is new, so VMS 4.3 was not included in it. DEC currently has a "future version" of VMS undergoing recertification by the NCSC at the C2 level. This version, when rated, will be placed into the RAMP program so that future updates will continue to be released with the rating current. In the mean time, DEC personnel are being trained in the RAMP program by the NCSC. There are also several versions of UNIX being certified at C2. None of which to my knowledge are under the RAMP program, however the individual vendors should be able to supply that information. For those interested, the NCSC has two publications available which apply to this discussion, one is the "Rating Maintenance Phase Program Document", and the other is the Final Report on the certification of VAX/VMS V4.3. Ron Tencati Science Applications Research Co-Chair, DECUS VAX-SIG Security Working Group - --------------------------------------------------------------------------- Network Security Manager | arpa - tencati@nssdca.gsfc.nasa.gov Space Physics Analysis Network (SPAN) | span - NCF::TENCATI /6277::TENCATI NASA/Goddard Space Flight Center | tele - +1-301-286-5223 Greenbelt, MD. USA | fax - +1-301-286-4952 - --------------------------------------------------------------------------- There are no winners in life, only survivors...
Grant@DOCKMASTER.NCSC.MIL (Lynn R Grant) (07/04/90)
Emily H. Lonsford of Mitre writes: >Is that what CA is telling you? I just looked in my April 1990 >"Information Systems Security Products and Services Catalog," a >government publication, and CA is not in the list of vendors >in the evaluation process. CA-ACF2 MVS and CA-TOP SECRET MVS were approved for acceptance into the Trusted Product Evaluation Program on 15 June 1990. Although we are not yet listed in the "Potential Products List" on the Announce forum of Dockmaster (even the 07/02/90 edition, transaction [0162]), I have the letter from the NCSC in front of me that says we are indeed in the evaluation program. Lynn R. Grant NCSC Projects Group Computer Associates International, Inc. (312) &14-7639 Grant at DOCKMASTER.NCSC.MIL
AGUTOWS@WAYNEST1.BITNET (Arthur Gutowski) (07/05/90)
This discussion about MVS security has reminded me of a quote a couple of years back (I think I read it in a Jim Goodwin posting or article, but I can't remember if it was origional or he quoted it). Anyway, it goes something like: "The only truly secure computer system is one that is cast in concrete and thrown to the bottom of the ocean. And even then, I'm not to sure..." A pessimistic outlook, but a degree of truth to it nonetheless. /===\ Arthur J. Gutowski, System Programmer : o o : MVS & Antiviral Group / WSU University Computing Center : --- : Bitnet: AGUTOWS@WAYNEST1 Internet: AGUTOWS@WAYNEST1.BITNET \===/ AGUTOWS@cms.cc.wayne.edu Have a day. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Life as a schizophrenic is never lonely.
AGUTOWS@WAYNEST1.BITNET (Arthur Gutowski) (07/09/90)
The quote I posted in V3 #120 is actually from Gene Spafford, and goes: "The only truly secure system is one that is powered off, cast in a block of concrete, and sealed in a lead-lined vault with armed guards -- and even then I have my doubts." Rollo Rogers sends me another gem: "100% system security = 100% non production." It's a rough world out there. Regards, Art
peter@ficc.ferranti.com (Peter da Silva) (07/10/90)
AGUTOWS@WAYNEST1.BITNET (Arthur Gutowski) writes: > "100% system security = 100% non production." > It's a rough world out there. On that note, it might be worthwhile to have a look at comp.std.unix, where a similar discussion is underway. - -- Peter da Silva. `-_-' +1 713 274 5180. <peter@ficc.ferranti.com>