NT's C2 rating
David Loysen
dwl at hnc.com
Fri Mar 22 03:42:56 PST 1996
At 03:54 PM 3/21/96 EST, you wrote:
>> configuration can be certified as C2 compliant. The way I read the orange
>> book, no system with a network connection can ever be C2. For that matter a
>> system can't get C2 unless it is in an area where you can control and
>> monitor physical access to the system.
>
>This is incorrect -- you can have a C2 system which has a network
>connection. Indeed, you can get a B2 rating with a networked system,
>c.f. Multics.
>
>-derek
>
>
>
Well, I never argue with anyone from MIT..... But.
I don't see any reason a C2 or B2 system can't be networked to another
system(s) with the same classification. But that isn't really what I meant.
Can you make a firewall system that is C2 compliant? Isn't this what you
would need in order to connect a C2 system or network to another non secure
network, (i.e. the internet)?
I do agree that there is no place in the orange book that says "thou shall
not speak ethernet" but can you network a system and be able to "require
that ADP systems that process, store, or use classified data and produce
classified information will, with reasonable dependability, prevent
delibrate or inadvertent access to classified material by unauthorized
persons, and unauthorized manipulation of the computer and its associated
peripheral devices." Which the orange book does say.
I guess "reasonable dependability" is a pretty broad term.
Pardon a newbie here if I am being unusally obtuse, but you can't learn if
you don't ask.
dwl at hnc.com
David Loysen
619-546-8877 x245
More information about the cypherpunks-legacy
mailing list