Xref: utzoo comp.unix.questions:5717 comp.unix.wizards:6603 Path: utzoo!utgpu!water!watmath!clyde!rutgers!uwvax!oddjob!hao!ames!nrl-cmf!cmcl2!brl-adm!brl-smoke!gwyn From: gwyn@brl-smoke.ARPA (Doug Gwyn ) Newsgroups: comp.unix.questions,comp.unix.wizards Subject: Re: Usenet Security Message-ID: <7311@brl-smoke.ARPA> Date: 22 Feb 88 03:36:26 GMT References: <108@tron.UUCP> <2739@codas.att.com> <23504@hi.unm.edu> Reply-To: gwyn@brl.arpa (Doug Gwyn (VLD/VMB) ) Organization: Ballistic Research Lab (BRL), APG, MD. Lines: 33 In article <23504@hi.unm.edu> kurt@hi.unm.edu (Kurt Zeilenga) writes: >In article <2739@codas.att.com> mikel@codas.att.com (Mikel Manitius) writes: >>Very simple, if you've got a UNIX machine with a modem, it's not secure. >It's simplier than that. If you got a UNIX machine and it's turned >on, it's not secure. :*D Come on; security comes in differing degrees. It is thought that UNIX can be brought up to DOD B-2 level with some amount of effort, and still look enough like UNIX to support most UNIX-based applications. There are already at least two UNIX implementations approved at level C-1 or higher (so I'm told; I don't have one). One way to not lose an appreciable degree of security due to modem access (assuming telephone line tapping is ruled out) is to have the system check an incoming user ID against an internal list and call back the phone number contained in the internal list to establish the real working connection. The weakest link in many installations is physical security -- for example, on an Ethernet with lots of Sun workstations, unless the cable and workstations have controlled access it is possible for a workstation to be subverted and super-user access to the whole local net to be obtained (assuming typical installation; at least SOME unauthorized access would be obtainable in general). Our favorite method of achieving acceptable security is to keep our systems in controlled-access vaults. Of course they can't have normal network connections to areas outside the vaults. This solves most security problems very simply (but not simultaneous multi-level compartmentalized access control). If you're really concerned with computer security, get in touch with the National Computer Security Center; they specialize in this.