Who is more knowledgeable when it comes to computer security?

[catch]

Has there ever been anything EAL 7? I'm not to good with these ratings. I should find something that explains them sometime.

The Tenix Datagate's Interactive Link Data Diode Device Version 2.1

It is also likely that the government will push for more granularity with the PPs to really tell where you can use Linux and where you cannot. As it stands now, many installations still use TCSEC requirements... switching to the CC would give them systems that may operate in completely different manners yet have similar if not identical ratings. This forces a far more comprehensive review of the ST at least.

Didn't NT get a C2 with no network cable or something? I have a book here somewhere where it's mentoned but I need to find it.

This is a myth put forward by Bruce Scheiner (aka nose-picking idiot) in "Secrets and Lies". He also says that it required an epoxied shut floppy drive. Two things about this are very interesting... the first is that the TCSEC doesn't address things like the floppy drive and network services, especially at the C2 level. The TCSEC is more about confidentiality controls, audit trails... in fact i rewrote this: http://en.wikipedia.org/wiki/TCSEC recently so that it is correct. The second problem with these claims is this document: http://www.radium.ncsc.mil/tpep/libr...FER-99-001.pdf ... straight from the horses mouth as it were... you will find that WinNT4 was evaluated for servers and workstations, stand-alone or part of a domain. The same is true for NT3.5 http://www.radium.ncsc.mil/tpep/libr...FER-95-003.pdf

Do you have a link for anything that talks about trusted paths?

I do, it is even from your own camp:
http://www.linux.com/howtos/Secure-P...ted-path.shtml
I used that as a starting point when doing my Linux questions.
and http://www.radium.ncsc.mil/tpep/libr...erps/0302.html is another It discusses the last change that was made the the TP requirements in the TCSEC.

What if cost is a huge factor? Normally price is a big deal, but what if it's cheaper to hire someone to do this than buy the appliance?

But then you have additional documentation costs, support costs, etc.
If you're some college kid setting up your own web server, by all means using Linux in such a manner is fine... in a real corporate/government environment where these things become more important... COTS is always the best answer.

Lol, But what about Solaris? Lol. For actual Price Linux is quite nice I mean it's not everyday an Enterprise product is like 399 dollars.

Solaris is fine... I wouldn't use it because I think there are better solutions... Linux is fine too and so is FreeBSD (OpenBSD however is garbage) the only problem I have with Linux is people making it out to be something it's not.

cheers,

catch

[catch]

Oh Maestr0...

And I'll say it again, Arent we discussing assurance?

yes, we are... and there are two types of assurance... but I thought we covered that already.

I know the difference and can't for the life of me see why you keep bringing security up, I sure as hell didnt. What I was said was commercial OSs aren't high assurance, that SLES is as high as the others

With regard to validation assurance, sure it is as high as others... with regard to overall assurance Verification + Validation it is still quite low.

I think your anti-linux attitude prevents you from seeing what a marvelous thing this is.

I don't have an anti-linux attitude... when Linux supports (without using research prototypes or custom hacks or random unsupported third party packages) the following functionality I will agree that it is actually a reasonably secure system:

1. Trusted Paths
2. More finely grained access controls including "deny" functionality
3. Segregation of Administrators and Operators
4. More finely grained audit trails
5. A Reference monitor

For now I am off to do holiday baking, back in a few days.

cheers,

catch