At 02:30 PM 3/21/96 -0800, David Loysen <dwl@hnc.com> wrote:

I don't see any reason a C2 or B2 system can't be networked to another system(s) with the same classification. But that isn't really what I meant. Can you make a firewall system that is C2 compliant? Isn't this what you would need in order to connect a C2 system or network to another non secure network, (i.e. the internet)?

Leaving out Red Book details (since back when I last read the Red Book, nobody really had any general solutions to the problems), the problem is that the Orange Book demands that for C-level and above, the operating system must know the identity of all the users so it can track file, process, and authentication accesses, and for B1 and up, it also needs to know what users are allowed to use what security levels and what levels they're actually operating at. 1) It's difficult to do that - you have to trust the messages coming over a wire from the other machine to tell you who they're from, unless you can be sure there's only one user per wire. That means you need a mechanism for trusting the other machine, a mechanism for communicating that trust, a shared or mappable mechanism for identifying users, etc. That takes a certain amount of work even when you control all the machines that your machine can talk to, which you often can't (e.g. on an outer firewall.) 2) To _certify_ a system for general use (as opposed to certifying a specific instantiation of a system), you need to be sure that it will be installed and maintained in a way that will provide that identification and assurance. That's even harder, because you either need cryptographic authentication and session control, or else you need a way to guarantee that the system you're certifying only talk to machines that are administered in coordination with it, in spite of being installed by some Army grunt or military contractor who may RTFM but isn't a security wizard. And in the C2-certification biz, "cryptographic" means "something you got from the NSA", because they're the ones who do military crypto, and they tend not to trust software. Fortezza cards may do this stuff ok.... 3) The networking code becomes part of the Trusted Comptuting Base, which means you have to be able to verify that it can't mess with anything that you don't want it messing with, and if it supports more than one simultaneous user, it's got to be able to keep track of sessions and communicate them reliably to the OS and TCB. That works relatively well for serial-port user logins and maybe uucp. TCP/IP, on the other hand, is typically implemented down in the guts of the OS, partly because IP needs to talk to hardware a lot, partly because it's often easier to do the TCP and IP together, partly for "speed", and partly because it's much more efficient to hand stuff to multiple users from kernel space than to hand it up to a user-space application which then IPCs things back through the kernel to their destination user processes. It also tends to have various pieces running as root, either to access hardware or protected parts of the software, or to make it easier to transfer ownership of information to processes owned by different users. (Yes, this is a Unix-centric view, but other systems tend to do similar stuff.) This makes it difficult to verify that it's clean (hey, parts of it are tough enough to get working really well, much less bug-free), and it's even tougher at higher levels like B2 that want Least Privilege rather than having a SuperUser root that can do everything. Root stuff is just basically dangerous anyway. And B1-level OSs often run the TCB (including root) at System Low to make sure no regular user can mess with it, which makes it hard for root-owned processes to write up to users. #-- # Thanks; Bill # Bill Stewart, stewarts@ix.netcom.com, +1-415-442-2215 pager 408-787-1281 # "At year's end, however, new government limits on Internet access threatened # to halt the growth of Internet use. [...] Government control of news media # generally continues to depend on self-censorship to regulate political and # social content, but the authorities also consistently penalize those who # exceed the permissible." - US government statement on China... "SigFiles of Unusual Size? I don't believe they exist!"