Path: utzoo!utgpu!news-server.csri.toronto.edu!mailrus!uwm.edu!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: TENCATI@NSSDCA.GSFC.NASA.GOV (SPAN Security Mgr) Newsgroups: comp.virus Subject: Re: Mainframe attacks Message-ID: <0001.9007051920.AA04382@ubu.cert.sei.cmu.edu> Date: 3 Jul 90 14:02:22 GMT Sender: Virus Discussion List Lines: 53 Approved: krvw@sei.cmu.edu fasteddy@amarna.gsfc.nasa.gov (John 'Fast-Eddie' McMahon) writes... > I have gotten conflicting answers on this, so I'll ask again... > > My understanding is that VMS 4.3 was the version rated at C2, and that > rating did not automatically carry over to later versions of VMS. > Hence, if you are running 4.3 you have (potentially) a C2 system. But > if you are running 4.4 through 5.4 you don't. > > Can someone explain how these ratings apply when a system is upgraded ? You are correct in that VMS 4.3 was rated at C2 (Discretionary Access Controls). This was for VAX/VMS without DECnet. Subsequent versions do NOT automatically qualify for the C2 rating. This does not mean that the operating system is not secure (unless we're talking V4.4 which had a bug), but it means that the new release was never re-tested. VMS still meets the Orange Book criteria, it just lacks the formal certification. The NCSC is handling this problem with their RAting Maintenance Phase (RAMP) program. They are in the process of training the vendor community on the necessary rules and criteria for assuring that future releases of a product continue to meet the criteria under which the original rating was granted. The RAMP program is new, so VMS 4.3 was not included in it. DEC currently has a "future version" of VMS undergoing recertification by the NCSC at the C2 level. This version, when rated, will be placed into the RAMP program so that future updates will continue to be released with the rating current. In the mean time, DEC personnel are being trained in the RAMP program by the NCSC. There are also several versions of UNIX being certified at C2. None of which to my knowledge are under the RAMP program, however the individual vendors should be able to supply that information. For those interested, the NCSC has two publications available which apply to this discussion, one is the "Rating Maintenance Phase Program Document", and the other is the Final Report on the certification of VAX/VMS V4.3. Ron Tencati Science Applications Research Co-Chair, DECUS VAX-SIG Security Working Group - --------------------------------------------------------------------------- Network Security Manager | arpa - tencati@nssdca.gsfc.nasa.gov Space Physics Analysis Network (SPAN) | span - NCF::TENCATI /6277::TENCATI NASA/Goddard Space Flight Center | tele - +1-301-286-5223 Greenbelt, MD. USA | fax - +1-301-286-4952 - --------------------------------------------------------------------------- There are no winners in life, only survivors...