*BSD News Article 63528


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!news.mel.connect.com.au!munnari.OZ.AU!uunet!in1.uu.net!news.mindspring.com!nhammond.mindspring.com!nhammond
From: nhammond@mindspring.com (Nicolas Hammond)
Newsgroups: comp.os.linux.development.system,comp.os.linux.misc,comp.os.linux.networking,comp.unix.bsd.freebsd.misc,comp.unix.bsd.netbsd.misc,comp.unix.bsd.bsdi.misc
Subject: Re: need secure OS to entrust millions to
Date: Fri, 1 Mar 1996 22:45:05 -0400
Organization: MindSpring Enterprises, Inc.
Lines: 93
Message-ID: <nhammond.3.00AE67CD@mindspring.com>
References: <4gi6t6$3h9@lace.colorado.edu> <31304401.3341@pinsight.com> <4gq2j9$2g48@babyhuey.cs.utexas.edu>
NNTP-Posting-Host: nhammond.mindspring.com
X-Newsreader: Trumpet for Windows [Version 1.0 Rev B]
Xref: euryale.cc.adfa.oz.au comp.os.linux.development.system:19311 comp.os.linux.misc:91749 comp.os.linux.networking:31627 comp.unix.bsd.freebsd.misc:15416 comp.unix.bsd.netbsd.misc:2461 comp.unix.bsd.bsdi.misc:2647

In article <4gq2j9$2g48@babyhuey.cs.utexas.edu> dhs@cs.utexas.edu (Douglas H. Steves) writes:
>From: dhs@cs.utexas.edu (Douglas H. Steves)
>Subject: Re: need secure OS to entrust millions to
>Date: 25 Feb 1996 10:26:17 -0600

>In article <31304401.3341@pinsight.com>,
>Roy A. Gilmore <royg@pinsight.com> wrote:
>>Banks need B1-B2 level security.  
>No. Most of the functional differences at B1+ are related
>to mandatory [sic] access controls, which is a DoD-ish
>policy/fetish that doesn't apply to commercial environments.
>A lot of the remainder are miscontrived and misconstrued 
>software engineering fallacies that have nothing to do with
>real security.

I used to work at SecureWare (I now have my own consulting company)
and was the one responsible for setting up the "secure" machine for
Security First Network Bank (www.sfnb.com), the world's first
on-line bank. I also helped with the design of the entire security 
architecture .I have also set-up other banks, including the first bank offering
on-line services in Central America. I have also set-up commercial Web
sites that "protect millions" (usually data, but data critical to some
fortune-100 companies).

There are descriptions on the sfnb home page of some of the security
that was implemented. You will find much useful information at this site
about how to protect a site.

A B-level system was used for "protecting the millions".

The reasons for this are security related - if you are going to protect
valuable data, then you need a machine with high assurances and
a high level of security - a B-level system provides that.

No, you don't need all of the features of the B-level system; but you
do need some, and you need the assurance.

You also need a sound security architecture, a written security policy
reviewed and approved by all that matter. You need a set of 
security and system procedures to cover all administration.
You need penetration tools to verify your architecture.
You need a penetration study from an outside body.
You need regular system audits to verify the security policy,
and security/system procedures are in place and are being followed.

You need to devise an authentication system, so customers can
connect to the bank and the bank can verify who they are.
These includes someone entering a different account name
after they have "authenticated" to the bank/financial institution.
You need audit alarms and checks when someone tries to "break-in".

But, I'm writing your paper for you :-)

Seriously, you do not use a free O/S, for all of its benefits, for
something like this.

>> Read the DoD's "Rainbow Series".
>The pot at the end of the "Rainbow Series" doesn't contain gold.

>>Must be "amateur hour" again.  Feel sorry for your customers...
>Ditto.
>More generally, I feel sorry for people that use systems designed
>according to the NSA/NCSC misapprehensions in this area. Their
>secure OS policies are almost as ludicrous as their crypto
>policies, and just about as damaging.

You can take a system that meets/passes a NSA/NCSC/ITSEC
evaluation and configure it correctly. Thus you can implement
your own "policy" on top of the NSA/NCSC requried policy
i.e. deconfigure what you don't need and add some extra
stuff into it.

A correctly configured B1-system has a much higher level of
assurance than a similarly configured non-B1 system.
Why? Assume the system becomes misconfigured (it will,
they all do) - on your B1 system, someone can break in,
but they are restricted to running at a certain level
(compartment, category, choose your term (*)) and cannot
see any other "level". On a misconfigured non-B1 system,
your hacker is in and your millions are gone.

(*) A B1 system provides a capability similar to a virtual OS
running at a particular level - if someone breaks into the
"outside" level, then they cannot see the "inside" level.
This is assuming you have one network card on the "outside"
and one network card on the "inside" - the two should not talk
except through programs defined in your security policy.

Nicolas Hammond
NJH Security Consulting, Inc.
nhammond@mindspring.com
(404)262-1633