Re: IDS: Real-time IDS for Windows NT?

John Hall (jhall@sqi.com)
Mon, 15 Sep 1997 16:09:59 -0700

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Jim Truitt: "COAST Intrusion Detection Resources"
Previous message: Artimage: "Re: IDS: Real-time IDS for Windows NT?"
Maybe in reply to: adamsb@un.org: "IDS: Real-time IDS for Windows NT?"

> On Sun, 14 Sep 1997, Keith Bastin wrote:
> 
> > claims that NT is C2 certified is, in large part, a disservice as it leads
> > many inexperienced network managers to a false sense of security and at the
> > same time makes the hacker's much more interested in defeating it's so
> > called security...
> > 
> 
> On Mon, 15 Sep 1997, RPL wrote:
>
> If i am not mistaken, Only NT 3.51 with Service pack 5 has achieved a C2
> rating, and this does not take into account a system connect to the
> internet.

Not connected to ANY network for that matter and no floppy drives
either!  (If it was actually US TCSEC C2 rated...)

If I remember correctly, it does not have a US TCSEC C2 rating.
It was actually rated by the ITSEC in Britain, not by the TCSEC (US).
Here's the actual Microsoft announcement (for educational purposes):

> INDEPENDENT EVALUATION REAFFIRMS WINDOWS NT AS THE 
> MOST SECURE PC BASED OPERATING SYSTEM AVAILABLE 
> Windows NT Server is the first and only PC-based server operating system
> to receive a fully networked C2 or FC2 security evaluation from either
> ITSEC or the NSA, further establishing it as the most secure PC-based
> server operating system available. The UK Information Technology
> Security Evaluation and Certification scheme (ITSEC) has recently given
> Windows NT an FC2/E3 Security Evaluation. This evaluation is the
> European equivalent of the C2 "Red Book" evaluation performed by the
> National Security Agency in the U.S 

"equivalent"....  Well the word means a lot of things to a marketroid.

Some parts of the ITSEC certification do correspond with the TCSEC, 
which is why they're probably claiming what they're claiming.

TCSEC can be found at http://www.radium.ncsc.mil/tpep/epl
ITSEC can be found at http://www.itsec.gov.uk/itsechtml/welcome.htm

Some good questions to ask are:

1.	Was the rating on a heterogeneous network or on a network
	with ONLY NT server systems?
2.	What version of NT was rated and does it have any resemblance
	to the version you are using?
3.	What network services were actually turned on?
4.	Was a special networking stack used throughout the network?
5.	Were any special or unreleased applications or versions used?
6.	Do you really understand what FC2/E3 rating means and how
	a product with that rating fits into your network?

The last question is the biggest pitfall.  These rating systems are
notorious for leaving huge gaps in security.  For example, the
classic Orange Book rating only really meant you could post mortem
a breakin, not actually stop it, or detect it while it was happening.
The classic Red Book rating leaves out "Covert Channels" and "Denial
of Service" type attacks (which constitute a majority of the attacks
found on networks).

-- 
John Hall                  Senior Network Admin, Postmaster, Webmaster
jhall@sqi.com
+01 425 557 1697                         Siemens Medical Systems, Inc.
InterNIC: JH411                          Ultrasound Group

Next message: Jim Truitt: "COAST Intrusion Detection Resources"
Previous message: Artimage: "Re: IDS: Real-time IDS for Windows NT?"
Maybe in reply to: adamsb@un.org: "IDS: Real-time IDS for Windows NT?"