DoD Security Standards
|
|
The U.S. Department of Defense (DoD) gave responsibility for computer security to the National Security Agency (NSA) in 1981 via directive 5215.1, and the National Computing Security Center (NCSC) was formed. The NCSC website states the center’s mission as “technical standards and criteria for the security evaluation of trusted computer systems that can be incorporated into the Department of Defense component life-cycle management process.”
In this section, we will briefly examine some NCSC standards and their impact on network security. The Network+ exam asks you to identify each level.
You can find the evaluation criteria for the DoD computer standards (called the Rainbow Series because of the color of the books) at http://www.radium.ncsc.mil/tpep/library/rainbow.
Trusted Computer System
The NCSC first released A Trusted Computer System Evaluation Criteria (TCSEC) in 1983 for stand-alone, non-networked computers. The current DoD Standard release is 5200.28-STD and is commonly referred to as the Orange Book. The Orange Book defines the standard parameters of a trusted computer in several classes, indicated by letter and number: the higher the letter, the higher the certification. For example, class A is the highest class, and class D is the lowest class. The most publicized class is C2, Controlled Access Protection, which indicates that, within the Trusted Computer guidelines, the computer must have accountability for the data. In other words, each person who uses the computer must have a unique username and password, and the use of a file can be traced to that user. This is the highest NCSC class for local operating systems. Higher-level classes require that operating systems be specifically written to incorporate security-level information as the data is input.
Generally speaking, a stand-alone computer system can qualify for Trusted Computer certification if it meets the objectives in DoD document 5200.28-STD and passes the DoD’s evaluation process. Several vendors put their operating systems through this process. Although Microsoft makes the operating systems for the majority of desktop computers, only its Windows NT product has been submitted and approved for the Trusted Computer certification.
| Note | For the exam, you must know that both Windows NT Server and Workstation are C2-level certified for Trusted Computer (Orange Book). If the computer on which Windows NT Server is installed is connected to a network, however, it loses the C2 Trusted Computer certification. |
Trusted Network Interpretation
In 1987, the NCSC released enhanced testing criteria based on the Orange Book standard. The new standard, NCSC-TG-005, is called the Red Book and is the Trusted Network Interpretation Environmental Guideline (TNIEG). Trusted computers are addressed in the Orange Book. The Red Book defines the certification criteria for trusted networks. They both use the D through A levels. As with the C2 class in the Trusted Computer implementation, the C2 class is the highest class for generic network operating systems. Higher-level classes require that operating systems be specifically written to incorporate security-level information as the data is input.
With a C2 Trusted Network certification, network operating systems must provide a unique user account for each person on the network and provide accountability for the information the user uses. Additionally, the network communications must be secure.
| Note | Currently, several network operating systems are under evaluation for C2 Trusted Network certification. However, the only currently available network operating system that has achieved C2 Trusted Network certification is NetWare 4. |
Certified Operating Systems and Networks
Not all versions of an operating system are certified. This is the case even within the same vendor’s product line. The NCSC requires that products adhere to a specific implementation in order to maintain their security certification. Be sure to check these out if you want to take advantage of the security rating.
| Note | There are no A-level certified Microsoft Windows, Novell NetWare, or Unix operating systems yet. C1 has been discontinued as a certification. |
The Cray Research and Harris Computer Systems versions of Unix are B-level certified. Unix and Windows NT 3.5 are Trusted Computer (Orange Book) certified (C-level). NetWare is certified C2 Red Book, allowing it to operate as a trusted network. Tables 8.1 and 8.2 list the Microsoft Windows, Novell NetWare, and Unix products that are certified as C2 and above as of this writing.
| Certification | Operating System | Vendor | Product Version(s) |
|---|---|---|---|
| B3 Orange Book | Unix | Wang Government Services, Inc. | XTS-200 STOP 3.1E and 3.2E; XTS-300 STOP 4.1, 4.1a, and 4.4.2 |
| B2 Orange Book | Unix | Trusted Information Systems, Inc. | Trusted XENIX 3 and 4 |
| B1 Orange Book | Unix | Amdahl Corporation | UTS/MLS, Version 2.15+ |
| B1 Orange Book | Unix | Compaq | ULTRIX MLS+ Version 2.1 on VAX Station 3100 |
| B1 Orange Book | Unix | Harris Computer Systems Corporation | CX/SX 6.1.1 and 6.2.1 |
| B1 Orange Book | Unix | Hewlett-Packard Corporation | HP-UX BLS release 8.04 and 9.0.9+ |
| B1 Orange Book | Unix | Silicon Graphics, Inc. | Trusted IRIX/B release 4.0.5EPL |
| B1 Red Book | Unix | Cray Research, Inc. | Trusted UNICOS 8 release 8.0.2 |
| B1 Red Book | Unix | Harris Computer Systems Corporation | CX/SX with LAN/SX 6.1.1 and 6.2.1 |
| Cert. | OS | Vendor | Product Version(s) |
|---|---|---|---|
| C2 Orange Book | Unix | IBM | RS/6000 Distributed System |
| C2 Orange Book | Windows NT | Microsoft Corporation | Windows NT Server and Workstation, Version 3.5 with Service Pack 3 |
| C2 Red Book | NetWare | Novell, Inc. | NetWare 4 Network System Architecture and Design, and NetWare 4.11 |
| C2 Red Book | Proprietary | SISTex, Inc. | Assure EC 4.11 for Novell |
| Warning | To verify security certification or check out officially released documents or books, go to the NCSC website at www.radium.ncsc.mil/tpep/epl/index.html. Products may be added or removed by the National Security Agency at any time. The tables here are for informational purposes only. |
Assure EC 4.11 for Novell is included in Table 8.2 because it has ties to Windows 3.x, Windows 95/98, and NetWare. The NSA has certified SISTex’s product as being the trusted workstation component of a NetWare 4/4.11 network. The Assure workstation can run DOS and Windows 3.x programs. Windows 95/98 is allowed, although it was not specifically tested. Assure is not a Microsoft or Novell product; however, this operating system/ hardware combination works with both companies’ products.
|
|
