Re: Loose Cannon-dian
- From: billg999@xxxxxxxxxxx (Bill Gunshannon)
- Date: 11 Sep 2008 12:35:14 GMT
In article <9D02E14BC0A2AE43A5D16A4CD8EC5A593ED5FEB144@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>,
"Main, Kerry" <Kerry.Main@xxxxxx> writes:
-----Original Message-----
From: Bill Gunshannon [mailto:billg999@xxxxxxxxxxx]
Sent: Wednesday, September 10, 2008 9:24 AM
To: Info-VAX@xxxxxxxxxxxx
Subject: Re: Loose Cannon-dian
In article <eblGRJGgrgz6@xxxxxxxxxxxxxxxxxxxxxxxx>,
koehler@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (Bob Koehler) writes:
In article <ga6u7j$vnc$03$1@xxxxxxxxxxxxxxxxx>, Michael Kraemer<M.Kraemer@xxxxxx> writes:
thier
That's pretty much nowhere land.
Are there widely accepted certifications beyond
orange book ?
Nowhere? C2, B1, ..., all were written by some folks based on
limited knowledge and thier specific needs. There are a lot ofother
legitimate security concerns.
For example, Windows got a C2 rating at one time, based on
limitations like no network, no floppies, ...
So what good is a system if you can't enter or retrive data?
Those ratings are for operational systems. What need is there for a
network connection or floppies on a system running a power plant?
On the network piece, you are kidding, right?
If not, do you understand how a power plant works? With all of its
wireless devices, worker laptops, remote sensing devices etc. It's
all one big "system".
Nope, never worked in a power plant. This was just the example someone
else had used long ago and I played on that. The discussion was over
Windows and C2 and the statement that that meant no network and no
floppies. I was merely trying to propose a scenario where a production
system could be C2 and still actually work as needed.
One can take the system offline, connect a floppy, load and install
needed upgrades and then remove the floppy, recertify and return to
production as a C2 system.
When one looks at things in terms of IS's instead of just a Windows
box this stuff makes a lot more sense. But then, when you are so
totally biased against MS, you become blind to reality.
Bill, you seem to feel that the Internet is the big issue from a
security perspective and that with private networks, you do not need
to worry so much.
Where did yuo draw that conclusion?
In fact, security analysts will state that 60+% of security issues
are related to internal issues. Hence, even systems/desktops on
private networks need to apply the security patches that come out
each and every month for Windows and Linux.
The whole point of all that I said was that you could have a system that,
in production, does not have network or floppies thus able to be certified
C2 but when in maintenance mode the level of certification is reduced.
It is then recertified C2 and placed back in production.
Of course, this is all moot as the rainbow books are yesterdays standard.
bill
--
Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves
billg999@xxxxxxxxxxxxxxx | and a sheep voting on what's for dinner.
University of Scranton |
Scranton, Pennsylvania | #include <std.disclaimer.h>
.
- Follow-Ups:
- Re: Loose Cannon-dian
- From: DaveG
- Re: Loose Cannon-dian
- References:
- Re: Loose Cannon-dian
- From: Bill Gunshannon
- RE: Loose Cannon-dian
- From: Main, Kerry
- Re: Loose Cannon-dian
- Prev by Date: RE: Loose Cannon-dian
- Next by Date: Re: Current status?
- Previous by thread: RE: Loose Cannon-dian
- Next by thread: Re: Loose Cannon-dian
- Index(es):
Relevant Pages
|
