security levels, V.4

[Ran Atkinson]

In article <1990Nov30.165007.2125 at PacBell.COM> jmc at PacBell.COM (Jerry M. Carlin) writes:

>Therefore your administration costs will go up by at least a factor of two 
>and maybe a power of 3 with MANDATORY access control. 

This is true if your security model is the DoD model.  It is not necessarily
true for all trusted systems (even if your software is rated B1 or better).
In general, increases in security have additional costs everywhere 
(not just in computing).

>Networking is yet another problem.

Networking is addressed in the "Red Book" from NCSC and most of the 
"Compartmented Mode Workstations" in development seek to be Red Book 
compliant as well as B2 Orange Book.

>The levels go D (as in no security MSDOS and Mac, for example), C
>(discretionary access controls), B (mandatory access controls) and A
>which is only achieved if you can PROVE your design is secure.

Note that ALL systems that have not been formally evaluated by the NCSC
(such as stock UNIX and stock VM/MVS and stock VMS) are technically 
level D systems.  The A, B, and C designations technically mean that the
system has been formally evaluated by NCSC and was found to meet the 
requirements for that rating.  A lot of vendors (e.g. DEC about VMS)
are talking as if their systems have actually been rated C2 or B1,
when in fact they are unrated.  The A-level distinguishes evaluation by
testing to evaluation of the design of the OS itself as well as testing.

>AT&T MLS is actually at the C2/B1 level. 

My understanding is that AT&T Unix System V/MLS is rated B2 by NCSC.

>How much is enough depends on how paranoid you are.
>Remember, even paranoids have enemies :-)

Of course if one has enemies than one is not really paranoid right ? :-) :-)

P.S.
  This has drifted a bit from UNIX V/386, so I've redirected followups
to misc.security.  Folks interested in this subject probably should be
subscribers there (It's moderated so volume is low).

Ran 
randall at Virginia.EDU