NT's C2 rating

Mark Aldrich maldrich at grctechs.va.grci.com
Fri Mar 22 04:36:59 PST 1996


On Thu, 21 Mar 1996, David Loysen wrote:

> Ain't nothing fine about that print. An operating system or piece of
> hardware may be C2 certifiable. But only a complete system in a specific
> configuration can be certified as C2 compliant. The way I read the orange
> book, no system with a network connection can ever be C2. For that matter a
> system can't get C2 unless it is in an area where you can control and
> monitor physical access to the system.

I have to disagree.  C2 most certainly can be given to a network product.  
That's why we have the TNI (Trusted Network Interpretation) of the 
criteria.  There are actually A1 network products on the EPL.  I've 
personally worked on both C2 and B1 network and database product 
evaluations, for example.

Also, evaluation is given to commercial products, not "complete 
systems."  A complete system goes through certification and 
accreditation, not evaluation against the Criteria.

Also, the physical security measures make no difference in regard to a C2 
rating.  A product can be C2 whether it's in a kiosk in a shopping mall, 
or inside of a SCIF.  The over-all security policy of the system dictates 
the right mix of software countermeasures (C2, B1, B2, ,etc.) and the 
physical countermeasures (public, locked room, not networked, in a SCIF).  
Normally, as you boost one side of the equation, you can lower the other.

In short, the criteria is used to rate the level of trust that can be 
placed in a given commercial product.  Sort of like a UL rating.  Once 
you buy it, though, the security posture in which you operate it is up to 
you.

------------------------------------------------------------------------- 
|      Liberty is truly dead              |Mark Aldrich                 | 
|    when the slaves are willing          |GRCI INFOSEC Engineering     | 
|     to forge their own chains.          |maldrich at grci.com            | 
|        STOP THE CDA NOW!                |MAldrich at dockmaster.ncsc.mil | 
|_______________________________________________________________________| 
|The author is PGP Empowered.  Public key at:  finger maldrich at grci.com |
|    The opinions expressed herein are strictly those of the author     | 
|         and my employer gets no credit for them whatsoever.           | 
-------------------------------------------------------------------------







More information about the cypherpunks-legacy mailing list