Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!news.mel.connect.com.au!munnari.OZ.AU!uunet!in1.uu.net!news.mindspring.com!nhammond.mindspring.com!nhammond From: nhammond@mindspring.com (Nicolas Hammond) Newsgroups: comp.os.linux.development.system,comp.os.linux.misc,comp.os.linux.networking,comp.unix.bsd.freebsd.misc,comp.unix.bsd.netbsd.misc,comp.unix.bsd.bsdi.misc Subject: Re: need secure OS to entrust millions to Date: Fri, 1 Mar 1996 22:45:05 -0400 Organization: MindSpring Enterprises, Inc. Lines: 93 Message-ID: <nhammond.3.00AE67CD@mindspring.com> References: <4gi6t6$3h9@lace.colorado.edu> <31304401.3341@pinsight.com> <4gq2j9$2g48@babyhuey.cs.utexas.edu> NNTP-Posting-Host: nhammond.mindspring.com X-Newsreader: Trumpet for Windows [Version 1.0 Rev B] Xref: euryale.cc.adfa.oz.au comp.os.linux.development.system:19311 comp.os.linux.misc:91749 comp.os.linux.networking:31627 comp.unix.bsd.freebsd.misc:15416 comp.unix.bsd.netbsd.misc:2461 comp.unix.bsd.bsdi.misc:2647 In article <4gq2j9$2g48@babyhuey.cs.utexas.edu> dhs@cs.utexas.edu (Douglas H. Steves) writes: >From: dhs@cs.utexas.edu (Douglas H. Steves) >Subject: Re: need secure OS to entrust millions to >Date: 25 Feb 1996 10:26:17 -0600 >In article <31304401.3341@pinsight.com>, >Roy A. Gilmore <royg@pinsight.com> wrote: >>Banks need B1-B2 level security. >No. Most of the functional differences at B1+ are related >to mandatory [sic] access controls, which is a DoD-ish >policy/fetish that doesn't apply to commercial environments. >A lot of the remainder are miscontrived and misconstrued >software engineering fallacies that have nothing to do with >real security. I used to work at SecureWare (I now have my own consulting company) and was the one responsible for setting up the "secure" machine for Security First Network Bank (www.sfnb.com), the world's first on-line bank. I also helped with the design of the entire security architecture .I have also set-up other banks, including the first bank offering on-line services in Central America. I have also set-up commercial Web sites that "protect millions" (usually data, but data critical to some fortune-100 companies). There are descriptions on the sfnb home page of some of the security that was implemented. You will find much useful information at this site about how to protect a site. A B-level system was used for "protecting the millions". The reasons for this are security related - if you are going to protect valuable data, then you need a machine with high assurances and a high level of security - a B-level system provides that. No, you don't need all of the features of the B-level system; but you do need some, and you need the assurance. You also need a sound security architecture, a written security policy reviewed and approved by all that matter. You need a set of security and system procedures to cover all administration. You need penetration tools to verify your architecture. You need a penetration study from an outside body. You need regular system audits to verify the security policy, and security/system procedures are in place and are being followed. You need to devise an authentication system, so customers can connect to the bank and the bank can verify who they are. These includes someone entering a different account name after they have "authenticated" to the bank/financial institution. You need audit alarms and checks when someone tries to "break-in". But, I'm writing your paper for you :-) Seriously, you do not use a free O/S, for all of its benefits, for something like this. >> Read the DoD's "Rainbow Series". >The pot at the end of the "Rainbow Series" doesn't contain gold. >>Must be "amateur hour" again. Feel sorry for your customers... >Ditto. >More generally, I feel sorry for people that use systems designed >according to the NSA/NCSC misapprehensions in this area. Their >secure OS policies are almost as ludicrous as their crypto >policies, and just about as damaging. You can take a system that meets/passes a NSA/NCSC/ITSEC evaluation and configure it correctly. Thus you can implement your own "policy" on top of the NSA/NCSC requried policy i.e. deconfigure what you don't need and add some extra stuff into it. A correctly configured B1-system has a much higher level of assurance than a similarly configured non-B1 system. Why? Assume the system becomes misconfigured (it will, they all do) - on your B1 system, someone can break in, but they are restricted to running at a certain level (compartment, category, choose your term (*)) and cannot see any other "level". On a misconfigured non-B1 system, your hacker is in and your millions are gone. (*) A B1 system provides a capability similar to a virtual OS running at a particular level - if someone breaks into the "outside" level, then they cannot see the "inside" level. This is assuming you have one network card on the "outside" and one network card on the "inside" - the two should not talk except through programs defined in your security policy. Nicolas Hammond NJH Security Consulting, Inc. nhammond@mindspring.com (404)262-1633