Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!wuarchive!uunet!visenix!beattie
From: beattie@visenix.UUCP (Brian Beattie)
Newsgroups: comp.unix.sysv386
Subject: Re: security levels, V.4
Message-ID: <873@visenix.UUCP>
Date: 3 Dec 90 07:17:58 GMT
References: <1990Nov23.182943.21094@cs.dal.ca> <2389@sixhub.UUCP> <2313@tabbs.UUCP> <1990Nov29.224243.2934@ico.isc.com> <1990Nov30.145545.29792@murdoch.acc.Virginia.EDU>
Reply-To: beattie@visenix.UUCP (Brian Beattie)
Distribution: na
Organization: Department of Redundancy Department
Lines: 30

In article <1990Nov30.145545.29792@murdoch.acc.Virginia.EDU> Ran Atkinson <randall@Virginia.EDU> writes:
>
>If folks dislike C2, they will be much more unhappy with B2.  I on the other
>hand prefer at least a B1 system because it is much safer from breakins

B1 is no more resitant to breakins than C2.
in fact the C2 requirements for I&A (login and password)
are the same as for B2.
A properly administered C1 system is
as safe from _breakin_ as a B2 system.
The extra requirements for B1 and B2 are for
labeling of data and are required to prevent
users with accounts from accessing data improperly
not for preventing unauthorized access to the machine.
It is a common misconception that the higher the rating
the more secure the system is from breakin, this is
generally not the case.

>and such.  I'll not bore folks with the differences between C2 and B1 or B2;
>if you want to know more, go read the Orange Book.
>
>  Ran
>  randall@Virginia.EDU


-- 
It is easier to build a   | Brian Beattie          (703)471-7552
secure system than it is  | 11525 Hickory Cluster, Reston, VA. 22090 
to build a correct system.|
           M. Gasser      | ...uunet!visenix!beattie