On Wed, 9 Oct 2002, Terry Lambert wrote:
> "Roman V. Mashak" wrote: > > On Wed, Oct 09, 2002 at 01:07:43PM -0400, Steve Kudlak wrote: > > > project and mucking with the "low grade" in my opinion C-2 security > > > that Sun OSes had and finding bugs in things like FTP logging and > > > the like. I now do other things so I don't worry about that. :) But it > > > is an interesting issue. I wonder if we should move it to chat? > > > > Could you please pick up some URLs with description of all security levels > > (C-2 and so on) - how to get, who is going on it and so on. > > Thanks in advance. > > Here is the "Orange Book" (DoD TCSEC / DoD 5200.28-STD): > > http://www.radium.ncsc.mil/tpep/library/rainbow/5200.28-STD.html > > You "get it" by paying a certified testing laboratory a huge amount of > money to test a particular hardware and software combination. Systems are no longer being evaluated to TCSEC. The new world order is based on a "Common Criteria" or language for expression protection profiles (PPs) in terms of a feature set, and then an assurance level (EAL-1 ... EAL-4 or higher). The logical equvilents to TCSEC C2 and B1, as mentioned in an earlier message I sent out, are the CAPP and LSPP protection profiles at EAL-4. In order to get your foot in the door, you really need at least EAL-3 / CAPP. There are lots of other protection profiles provided by NSA, NIST, and other international organizations. This is a logically seperate issue from the safety critical concern, although in many real world situations, you'd want both aspects. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects [EMAIL PROTECTED] Network Associates Laboratories To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
