From owner-freebsd-questions Fri Mar 15 17: 0:48 2002 Delivered-To: freebsd-questions@freebsd.org Received: from satyr.host4u.net (satyr.host4u.net [216.71.64.14]) by hub.freebsd.org (Postfix) with ESMTP id 2DE0137B400 for ; Fri, 15 Mar 2002 17:00:43 -0800 (PST) Received: from eli (onlinecables.net [63.204.24.242] (may be forged)) by satyr.host4u.net (8.11.6/8.11.6) with SMTP id g2G1YA120163; Fri, 15 Mar 2002 19:34:11 -0600 From: "Robert Shea" To: "Benjamin Krueger" Cc: "Darren Reed" , "Dr. Evil" , , , , Subject: RE: Security: FreeBSD vs OpenBSD Date: Fri, 15 Mar 2002 16:56:35 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <20020315162741.C93644@rain.macguire.net> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG %BTW, NT4 was C2 qualified when locked down with its networking guts %removed. This was quite a few of your "generations" ago too. I %have seen no %documentation that anything else Microsoft distributes has %been C2 qualified %and I highly doubt I will any time soon. Just had to get that %jab in there. =) % This is exactly what I mean about people not understanding the Orange book. Having it's networking guts ripped out is a complete myth, and anyone with an understanding of the book would realize that it is totally irrelevant, but don't take my word for it: "The evaluated configuration for Windows NT 4.0 Service Pack 6a with the C2 Update includes any number of the Windows NT Server and/or the Windows NT Workstation products, acting in any one of the following roles, either stand-alone or connected via a physically protected network consisting of zero or more Windows NT domains: Microsoft Windows NT 4.0 Server product . Primary Domain Controller (PDC); . Backup Domain Controller (BDC); . Non-Domain Controller (domain member); and . Non-Domain Controller (non-domain member). Microsoft Windows NT 4.0 Workstation product . Domain member; and . Non-domain member." -FINAL EVALUATION REPORT Microsoft Corporation Windows NT Workstation and Server Version 4.0, Service Pack 6a http://www.radium.ncsc.mil/tpep/library/fers/TTAP-CSC-FER-99-001.pdf (page 15) and as far as it being current goes? well the latest evaluation was completed on 11-99, considering how long it takes for an evaluation to be completed, I assume we will see one for Win2k late this year/early next. As an informal evaluation will tell you that Win2k effectively meets the C2 TCSEC. And other products Microsoft makes? MS-SQL Server 8.0 also received the C2 rating on August 2000, but I am sure it had it's networking guts removed as well. ;) I never said worship the guide, in fact many fine systems like Argus' DBAC, SELinux's Flask, YGuard, and AITS's inherited RBAC are not covered by DOD-5200.28-STD, yet are all fine systems. The Orange book is flawed in many ways for mainstream operating systems, it's over reliance on the Bell-La Padula security model, while reasonable effective from a security model is both incomplete and difficult to implement by anyone other then experts, (a bad quality in an OS aimed at the general public.) "Security is not defined by adhering to rules laid out in a book. Security is not a product you can sell. Security does not come in a box wrapped up in bows." Security is verifiable not voodoo magick pedaled by "experts" and UNIX is an operating system that was created by AT&T later sold to SCO and renamed SCO UNIX-WARE, UN*X is UNIX, BSD, Solaris, Xenix, Sinix, AIX, HP-UX, UTS, etc, etc, etc and now a days even often includes the bastard child Linux. ;) (*nix is for people who don't know any better) robert shea %-- %Benjamin Krueger % %"Life is far too important a thing ever to talk seriously about." %- Oscar Wilde (1854 - 1900) %---------------------------------------------------------------- %Send mail w/ subject 'send public key' or query for (0x251A4B18) %Fingerprint = A642 F299 C1C1 C828 F186 A851 CFF0 7711 251A 4B18 % %PS. Its UNIX. Not *nix. Not UN*X. This isn't the name of G*D %for crying out %loud. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message