rcd@ico.isc.com (Dick Dunn) (11/30/90)
aris@tabbs.UUCP (Aris Stathakis) writes: davidsen@sixhub.UUCP (Wm E. Davidsen Jr) writes: > > ODT has C2 security, DV2 doesn't, but has shadow password. Both > >companies consider this a feature. I would gladly pay another $200-300 > >for ODT with the security ripped out... > DV2? You mean maybe DV4? :-) Strange. I was under the impression > that AT&T wouldn't let you call your product UNIX V.4 unless you had > at least B2 security. I could be wrong though.. B2??? No, you must be kidding. You *don't want* B2. (It may be required for something you're doing, in which case you may *need* it...but even then you won't *want* it.:-) B2 is a higher level of security than C2. I'll leave it to the orange-book mavens to explain the differences; suffice it to say that if you think the flaming you've seen in this newsgroup about C2 is hot, you ain't seen nothin' yet. And no, B2 is not required for V.4. It's an option--I think MLS will take you to the B2 level. -- Dick Dunn rcd@ico.isc.com -or- ico!rcd Boulder, CO (303)449-2870 ...Mr. Natural says, "Use the right tool for the job."
palowoda@fiver (Bob Palowoda) (11/30/90)
From article <1990Nov29.224243.2934@ico.isc.com>, by rcd@ico.isc.com (Dick Dunn): > aris@tabbs.UUCP (Aris Stathakis) writes: > davidsen@sixhub.UUCP (Wm E. Davidsen Jr) writes: >> > ODT has C2 security, DV2 doesn't, but has shadow password. Both >> >companies consider this a feature. I would gladly pay another $200-300 >> >for ODT with the security ripped out... > >> DV2? You mean maybe DV4? :-) Strange. I was under the impression >> that AT&T wouldn't let you call your product UNIX V.4 unless you had >> at least B2 security. I could be wrong though.. > > B2??? No, you must be kidding. You *don't want* B2. (It may be required > for something you're doing, in which case you may *need* it...but even then > you won't *want* it.:-) > > B2 is a higher level of security than C2. I'll leave it to the orange-book > mavens to explain the differences; suffice it to say that if you think the > flaming you've seen in this newsgroup about C2 is hot, you ain't seen > nothin' yet. > > And no, B2 is not required for V.4. It's an option--I think MLS will take > you to the B2 level. ^^^^^^^^^^^^^^ |||||||||||||| Well this is interesting. According to Mr. Aris Stathakis in a previous article he writes: > What's wrong with that is that it isn't C2. The C2 standard states that > it must be included in the product, and you cannot have the same product > without the C2 security - or else it does not constitute C2. So C2 is required for *any* UNIX OS to be C2 and B2 which is as I understand it more secure is not required. Yes I would like to here from someone with the orange-book explain this. I know nothing about the security levels, nor do I own a system or use one at work. I do have accounts on some systems that do and once in a while I am locked out saying with a message for no reason at all. So indirectly it does affect me as a user. I'm sure the bugs will be found fix etc but this this brings up another question. How does each level of security packages affect the devolopment cost of applications for any UNIX that uses it? How will we know when the price/security costs are enough? ---Bob -- Bob Palowoda palowoda@fiver | *Home of Fiver BBS* Home {sun}!ys2!fiver!palowoda | 415-623-8809 1200/2400 {pacbell}!indetech!fiver!palowoda | An XBBS System Work {sun,pyramid,decwrl}!megatest!palowoda| 415-623-8806 1200/2400/19.2k TB+
randall@Virginia.EDU (Ran Atkinson) (11/30/90)
In article <1990Nov29.224243.2934@ico.isc.com> rcd@ico.isc.com, Dick Dunn writes: >aris@tabbs.UUCP (Aris Stathakis) writes: >> Strange. I was under the impression that AT&T wouldn't let you >> call your product UNIX V.4 unless you had at least B2 security. >B2 is a higher level of security than C2. I'll leave it to the orange-book >mavens to explain the differences; suffice it to say that if you think the >flaming you've seen in this newsgroup about C2 is hot, you ain't seen >nothin' yet. > >And no, B2 is not required for V.4. It's an option--I think MLS will take >you to the B2 level. Dick is correct. The MLS (Multi-level Security) option for Unix System V is needed if you want a B2 system. Note that UNIX System V/MLS is actually certified by NCSC as being a B2 system. I don't think that SCO ever actually got their "C2" product certified by NCSC (who are the only folks who can certify Orange Book conformance). If folks dislike C2, they will be much more unhappy with B2. I on the other hand prefer at least a B1 system because it is much safer from breakins and such. I'll not bore folks with the differences between C2 and B1 or B2; if you want to know more, go read the Orange Book. Ran randall@Virginia.EDU
randall@Virginia.EDU (Ran Atkinson) (11/30/90)
In article <1990Nov30.064557.13565@fiver> palowoda@fiver (Bob Palowoda) writes: > So C2 is required for *any* UNIX OS to be C2 and B2 which is as I >understand it more secure is not required. Yes I would like to here >from someone with the orange-book explain this. I know nothing about the >security levels, nor do I own a system or use one at work. I do have >accounts on some systems that do and once in a while I am locked out >saying with a message for no reason at all. So indirectly it does affect >me as a user. I'm sure the bugs will be found fix etc but this this >brings up another question. How does each level of security packages >affect the devolopment cost of applications for any UNIX that uses it? >How will we know when the price/security costs are enough? > >---Bob I think the original quote that Bob is reacting to was not well worded. It is not the case that all versions of an OS must meet the C2 requirement for any version to meet C2 (or some higher requirement such as B2). In particular, there are non-C2 versions of UNIX that are commercially available and there are B2 versions of UNIX that are available (which is an existence prrof for my assertion above.) There clearly is some cost to having a "trusted system" and at the moment the driving force behind such development is clearly the US DoD for the simple reason that banks, etc choose to buy insurance against breakins rather than spending the money to prevent the breakins by having a more trustworthy system. I gather that most folks here don't care much about such things and would be inclined to say that they should be options from vendors rather than the vendor forcing folks to all buy abilities that aren't wanted... Ran randall@Virginia.EDU
jmc@PacBell.COM (Jerry M. Carlin) (12/01/90)
In article <1990Nov30.064557.13565@fiver> palowoda@fiver (Bob Palowoda) writes: >From article <1990Nov29.224243.2934@ico.isc.com>, by rcd@ico.isc.com (Dick Dunn): >> aris@tabbs.UUCP (Aris Stathakis) writes: >> B2??? No, you must be kidding. You *don't want* B2. (It may be required >> for something you're doing, in which case you may *need* it...but even then >> you won't *want* it.:-) The B-level security includes multi-level security and mandatory access controls. This means it implements the federal government policy of classifying things as 'secret' and 'top secret' and establishing classes of people so that someone who is working on 'Europe' cannot see secrets related to 'Asia', for example. It requires a great deal of overhead, mostly in administration since besides having a security officer to do all of this classification and reclassification; it also implments separation of duties, ie no more root. You now have many ID's with limited authority so that no one person can subvert the machine (at least theoretically). Therefore your administration costs will go up by at least a factor of two and maybe a power of 3 with MANDATORY access control. This means that to change the ownership of a file, you have to go to the security administrator and request that the change be made. Also, if a file you have is at a higher level of security, someone at a lower level of security cannot read it (or someone in a different department). The security administrator must change its classification first. This also makes things like windowing systems weird since you cannot copy a document from a 'top secret' window to a 'unclassified' window. There are people being paid lots of money to write windowing software to enforce this policy. Networkng is yet another problem. The B-level has a few IMHO useful features such as 'trusted path'. This means that a trojan program capturing login info is not possible since when you press your 'secure attention key' you are guarenteed to be talking to the 'trusted computer base' and therefore the 'real' login program. >> B2 is a higher level of security than C2. I'll leave it to the orange-book >> mavens to explain the differences; suffice it to say that if you think the >> flaming you've seen in this newsgroup about C2 is hot, you ain't seen >> nothin' yet. The levels go D (as in no security MSDOS and Mac, for example), C (discretionary access controls), B (mandatory access controls) and A which is only achieved if you can PROVE your design is secure. >> And no, B2 is not required for V.4. It's an option--I think MLS will take >> you to the B2 level. ^^^^^^^^^^^^^^ AT&T MLS is actually at the C2/B1 level. AT&T has advertised that the next release V.4.1 will be able to be run at the B-level but that it will not be required. I believe all the pieces will be modular so you do not have to run it all to use parts. BTW, you do not have to bundle the security with the OS. IBM and DEC sell add-ons that bring the os up to the C2 level. What is required is that the evaluation be done with a given configuration and that to run at that level, you have to use the configuration that was evaluated. >... How does each level of security packages >affect the devolopment cost of applications for any UNIX that uses it? >How will we know when the price/security costs are enough? The great unanswerable question. If your application is a DBMS and you are building multi-level security in then quite a bit. If your package is a word processor, probably nothing since it will be up to UNIX to enforce the security. How much is enough depends on how paranoid you are. Remember, even paranoids have enemies :-) -- Jerry M. Carlin (415) 823-2441 jmc@srv.pacbell.com To dream the impossible dream. To fight the unbeatable foe.
randall@Virginia.EDU (Ran Atkinson) (12/01/90)
In article <1990Nov30.165007.2125@PacBell.COM> jmc@PacBell.COM (Jerry M. Carlin) writes: >Therefore your administration costs will go up by at least a factor of two >and maybe a power of 3 with MANDATORY access control. This is true if your security model is the DoD model. It is not necessarily true for all trusted systems (even if your software is rated B1 or better). In general, increases in security have additional costs everywhere (not just in computing). >Networking is yet another problem. Networking is addressed in the "Red Book" from NCSC and most of the "Compartmented Mode Workstations" in development seek to be Red Book compliant as well as B2 Orange Book. >The levels go D (as in no security MSDOS and Mac, for example), C >(discretionary access controls), B (mandatory access controls) and A >which is only achieved if you can PROVE your design is secure. Note that ALL systems that have not been formally evaluated by the NCSC (such as stock UNIX and stock VM/MVS and stock VMS) are technically level D systems. The A, B, and C designations technically mean that the system has been formally evaluated by NCSC and was found to meet the requirements for that rating. A lot of vendors (e.g. DEC about VMS) are talking as if their systems have actually been rated C2 or B1, when in fact they are unrated. The A-level distinguishes evaluation by testing to evaluation of the design of the OS itself as well as testing. >AT&T MLS is actually at the C2/B1 level. My understanding is that AT&T Unix System V/MLS is rated B2 by NCSC. >How much is enough depends on how paranoid you are. >Remember, even paranoids have enemies :-) Of course if one has enemies than one is not really paranoid right ? :-) :-) P.S. This has drifted a bit from UNIX V/386, so I've redirected followups to misc.security. Folks interested in this subject probably should be subscribers there (It's moderated so volume is low). Ran randall@Virginia.EDU
beattie@visenix.UUCP (Brian Beattie) (12/03/90)
In article <1990Nov30.145545.29792@murdoch.acc.Virginia.EDU> Ran Atkinson <randall@Virginia.EDU> writes: > >If folks dislike C2, they will be much more unhappy with B2. I on the other >hand prefer at least a B1 system because it is much safer from breakins B1 is no more resitant to breakins than C2. in fact the C2 requirements for I&A (login and password) are the same as for B2. A properly administered C1 system is as safe from _breakin_ as a B2 system. The extra requirements for B1 and B2 are for labeling of data and are required to prevent users with accounts from accessing data improperly not for preventing unauthorized access to the machine. It is a common misconception that the higher the rating the more secure the system is from breakin, this is generally not the case. >and such. I'll not bore folks with the differences between C2 and B1 or B2; >if you want to know more, go read the Orange Book. > > Ran > randall@Virginia.EDU -- It is easier to build a | Brian Beattie (703)471-7552 secure system than it is | 11525 Hickory Cluster, Reston, VA. 22090 to build a correct system.| M. Gasser | ...uunet!visenix!beattie
benson@odi.com (Benson I. Margulies) (12/03/90)
Randall@virginia is misinformed: a B2 system has two things that no C system has (other than labels) 1) trusted path: 2) an implementation that passed must stricter muster with the DODCSC. B2 systems have to have full design documentation and meet some modularity standards. C systems just sort of have to have the features. Curious individuals should acquire copies of the orange book and see for themselves. -- Benson I. Margulies
randall@Virginia.EDU (Ran Atkinson) (12/03/90)
In article <1990Nov30.145545.29792@murdoch.acc.Virginia.EDU>, Ran Atkinson <randall@Virginia.EDU> writes: >>If folks dislike C2, they will be much more unhappy with B2. I on the other >>hand prefer at least a B1 system because it is much safer from breakins In article <873@visenix.UUCP> beattie@visenix.UUCP (Brian Beattie) writes: >B1 is no more resitant to breakins than C2. >in fact the C2 requirements for I&A (login and password) >are the same as for B2. >A properly administered C1 system is >as safe from _breakin_ as a B2 system. >The extra requirements for B1 and B2 are for >labeling of data and are required to prevent >users with accounts from accessing data improperly >not for preventing unauthorized access to the machine. >It is a common misconception that the higher the rating >the more secure the system is from breakin, this is >generally not the case. I consider ANY unauthorised access to data on a system to be a break-in. Most breakins are from folks who have access to a system not from outsiders. My original statement is entirely correct. I avoided using the technical terminology of the trusted systems world deliberately since the audience here is primarily not folks in that community. Ran randall@Virginia.EDU
randall@Virginia.EDU (Ran Atkinson) (12/03/90)
In article <1990Dec3.122925.1968@odi.com>, benson@odi.com (Benson I. Margulies) writes: >Randall@virginia is misinformed: No. I was avoiding the use of technical jargon and avoiding going into detail that I felt was inappropriate for this audience. That isn't nearly the same has being incorrect or misinformed. Next time don't be quite so quick to flame without cause. I stand by my statement that a B system is harder to break into (i.e. more trustworthy) -- realise that I (like most folks) consider a break in to be ANY form of unauthorised access to data or other compromise of system security in general. >a B2 system has two things that no C system has (other than >labels) >1) trusted path: > >2) an implementation that passed must stricter muster with the DODCSC. >B2 systems have to have full design documentation and meet some modularity >standards. C systems just sort of have to have the features. >Curious individuals should acquire copies of the orange book and >see for themselves. I was looking at my personal copy when I wrote my comments. I agree that those interested in the topic should look at the original document. Followups have been redirected to misc.security.
shwake@raysnec.UUCP (Ray Shwake) (12/04/90)
palowoda@fiver (Bob Palowoda) writes: > So C2 is required for *any* UNIX OS to be C2 and B2 which is as I >understand it more secure is not required. Yes I would like to here >from someone with the orange-book explain this. I know nothing about the >security levels, nor do I own a system or use one at work. C2 functionality, or certification at that level (or an alternate level, for that matter) is a *customer* driven requirement. Major customers can often drive the market, as the federal government is doing with POSIX, as General Motors is doing with MAP, as the European PTT's are doing with OSI, etc. How the vendors respond to customer requirements can still vary, however. ISC has, for example, modularized C2 functionality such they can sell "plain vanilla" UNIX 3.2 security, while bidding C2-certified variants for government contracts. Providing a system *capable* of supporting a given level of security, however, does not mean that a system will always be running at that level. Aside from weaknesses on the policy and personnel side (often the most significant), a system supporting different degrees of security rigour (like SCO ODT and UNIX, ATT's MLS, etc.) will often have security running at less than the certified level.
jfh@greenber.austin.ibm.com (John F. Haugh II) (12/06/90)
In article <1990Nov30.145545.29792@murdoch.acc.Virginia.EDU> Ran Atkinson <randall@Virginia.EDU> writes: > >In article <1990Nov29.224243.2934@ico.isc.com> rcd@ico.isc.com, Dick Dunn writes: >>And no, B2 is not required for V.4. It's an option--I think MLS will take >>you to the B2 level. The evaluated B2 product (SV/MLS) was not based on SVR4. It was based on SVR3.2.1 (or 3.2.2 or bzzt). I have a copy of the final evaluation (nice sleep inducer) laying about someplace, but it is not a SVR4-based product. If anyone cares, I'll post the specifics, but it is really pretty unexciting. >Dick is correct. The MLS (Multi-level Security) option for Unix System V >is needed if you want a B2 system. Note that UNIX System V/MLS is actually >certified by NCSC as being a B2 system. I don't think that SCO ever actually >got their "C2" product certified by NCSC (who are the only folks who can >certify Orange Book conformance). The certification handed out by the NCSC people covers a very specific hardware configuration and level of software. The reason that I doubt SCO will ever have a C2 for their product is because they would have to pick a hardware platform to have it rated on - and that is really the responsibility of a hardware vendor. The rating which AT&T received only applies to their hardware and that exact level of code (modulo being involved in RAMP, which I am certain they are). Any other level of software (read: bug fixes) or hardware model (read: performance improvements, etc.) are not covered. >If folks dislike C2, they will be much more unhappy with B2. I on the other >hand prefer at least a B1 system because it is much safer from breakins >and such. I'll not bore folks with the differences between C2 and B1 or B2; >if you want to know more, go read the Orange Book. Yes, I would like a B1 or B2 system for the house. MAC and least privilege are very nice features to have. For BBS users, trusted path is also nice. Keeps the little trojan horse weenies off your back. -- John F. Haugh II | This space intentionally | MaBellNet: (512) 838-4330 SneakerNet: 809/1C079 | left blank ... | VNET: LCCB386 at AUSVMQ BangNet: ...!cs.utexas.edu!ibmchs!auschs!snowball.austin.ibm.com!jfh (e-i-e-i-o)
murf@uts.amdahl.com (Richard Murphy) (12/06/90)
From article <4470@awdprime.UUCP>, by jfh@greenber.austin.ibm.com (John F. Haugh II): > > The evaluated B2 product (SV/MLS) was not based on SVR4. It was based > on SVR3.2.1 (or 3.2.2 or bzzt). I have a copy of the final evaluation > (nice sleep inducer) laying about someplace, but it is not a SVR4-based > product. If anyone cares, I'll post the specifics, but it is really > pretty unexciting. > SV/MLS is only certified to the B1 level. Several of the trade papers incorrectly stated the level. I've used both SCO's system and MLS. Each has some occasionally inconvenient features. So far it seems much easier to setup MLS to provide as much or little security features/interference (depending on what your objective is ;{) ) as you need. Of course I'm biased! - murf -- Rich Murphy arpa: murf@uts.amdahl.com uucp: ...!{ames,decwrl,uunet,pyramid,sun}!amdahl!murf bell: +1 408 737 5658 (W), +1 408 738 0811 (H)
jfh@rpp386.cactus.org (John F Haugh II) (12/07/90)
In article <685q02Rhf2ho01@amdahl.uts.amdahl.com> murf@uts.amdahl.com (Richard Murphy) writes: >SV/MLS is only certified to the B1 level. Several of the trade papers >incorrectly stated the level. it is "system v/mls 1.1.2 running on unix system v release 3.1.1". so it ain't even SVR3.2 ... >I've used both SCO's system and MLS. Each has some occasionally inconvenient >features. So far it seems much easier to setup MLS to provide as much or >little security features/interference (depending on what your objective >is ;{) ) as you need. Of course I'm biased! i've read the final evaluation and it does seem like a nice little product. i've been told it was a commercial failure, however. SCO has probably sold significantly more of it's "C2" product than AT&T has of its certified B1 product. sad to say, but secureware is also doing security for OSF ... -- John F. Haugh II UUCP: ...!cs.utexas.edu!rpp386!jfh Ma Bell: (512) 832-8832 Domain: jfh@rpp386.cactus.org