Umm... back to the original discussion...
I don't think it's a matter of being more knowledgeable than an attacker.
The attacker always has a basic advantage... The attacker needs only one way in, the defender must secure every point of entry.
Umm... back to the original discussion...
I don't think it's a matter of being more knowledgeable than an attacker.
The attacker always has a basic advantage... The attacker needs only one way in, the defender must secure every point of entry.
XTS-400 is at EAL5. There are atleast two other OS's that I can think of that are undergoing EAL5 certification testing. And one undergoing EAL6 evaluation, Integrity-178b. I guess the real question is what do you mean by commercially available?Quote:
Oh? Which high-assurance systems are still commercially available and currently evaluated that I'm stigmatizing? Name one OS that is CC evaluated above SLES 9 (thats Suse Linux Enterprise 9) besides IBM's PR/SM.
Suse9 is only at 4, and there are many other operating systems that are at 4.
This indicates a basic ignorance of the Common Criteria on your part.Quote:
Oh? Which high-assurance systems are still commercially available and currently evaluated that I'm stigmatizing? Name one OS that is CC evaluated above SLES 9 (thats Suse Linux Enterprise 9) besides IBM's PR/SM.
The Evaluated Assurance Level (EAL) has very little to do with the security of the system... the EAL is only useful when gaged against a Protection Profile (PP).
The ST is the true thing to look at when comparing systems.
So... according to the NIST site SLES9 is not yet evaluated... however according to the SLES9 ST from the IBM site... Windows 2000 is a more secure system when compared against the Win2k ST from the NIST site.
If you dont understand how the most basic of security standards work, why would you try to argue with them?
cheers,
catch
Hi,
There are a lot of problems with Common Criteria assessments, not the least of which is that the economics of the way tests are carried out means that CLEFs that test rigorously will go out of business as companies offering security products will go elsewhere. The other main problem is that the CC are too technically focused and often don't relate to real world STs. They also take too long to get and are rapidly put out of date by upgrades.
The UK government has introduced a lesser assurance mark which doesn't take as long to get and gives assurance for commercial level and lower classification public sector systems.
Anyway, to answer the original question is that both sides to do their job properly have to be aware of not only in depth technical questions but also broad issues like economics, psychology etc which is why when hackers grow up they often find a natural stomping ground in security once they have a mortgage to pay and kids to feed.
I think the problem is the l33t attitude (which exists on both sides) i.e. hackers who think their skills can be taught only learnt and security personnel who think that hackers have nothing to teach them. Neither of these extremes is true and I would also think you would be quite challenged to find anyone in the technical world who hasn't done a little hacking (both criminally and technically speaking) even if only to get their job done!
T
It is so difficult..........
By Sun Tzu:
More at http://www.geocities.com/Tokyo/Temple/2009/6.htmlQuote:
So in the case of those who are skilled in attack, their opponents do not know where to defend. In the case of those skilled in defense, their opponents do not know where to attack.
Ohhhhh catch you know how to get me going huh, lol.
Windows 2000 was one of the best products Microsoft EVER put out. You've said it before that Before this, Windows OSs were a bad joke on IT. I agree there and wonder if you've yet to try Windows Server 2003 which is another improvement I'd say. It's much faster and to be honest quite nice.
However, you know I'm a SUSE guy and won't go down without a fight. So just to find out more for myself, how would Windows as a Web Server, compare to something like SUSE Linux ES9, where you could literally "hack" a Web Server right into to Kernel (You have the sources and can do so) and tell it to discard EVERYTHING not HTTP related?
I've read of others doing this for web sites that were high priority targets on the internet where they would "hack" the web server into the Kernel, take out everything that wasn't needed, and then leave it. The server had yet to ever be broken into, which would be hard considering it won't ack anything that wasn't traffic for the web.
How the hell could Windows 2000 compete with this? Windows needs RPC and, come on man, you can't tell me IIS hasn't had it's large share of problems.
You know what I miss?
http://www.windows2000test.com
Microsoft took those battered servers down before releasing Windows 2000 to the public. They had not ONCE been broken into, but DAMN did they get attacked. That alone was a good marketing tactic on the part of Microsoft.
Personally I'd like to see them bring back the oldest OS they ever sold. I know you'll get that but some are probably thinking DOS lol.
I just don't get how Windows CAN be more secure than a Unix based OS when it's the only platform with worms and virii and IIS and....IE... IE is crap for security and most people realise that. And you really can't getrid of it without breaking things.
So, Catch, if you were to pick between AIX and PitBull, or Windows 2000, which would you wave your flag for?
I know you're not bashing SUSE so don't take this as an attack, you know it's not. Hell I've seen you praise SUSE before =)
"This indicates a basic ignorance of the Common Criteria on your part."
Do you actually read anything, or do you just say talk constantly to try and sound smart?
"The Evaluated Assurance Level (EAL) has very little to do with the security of the system."
Arent we discussing assurance right there? Are we reading the same thread? Evaluated Assurance Level. What could something with a name like that possibly refer to? Windows 2000 has EAL4+ and satisfies CAPP. SLES9 has EAL4+ and also satisfies CAPP (and yes they have the same augments).Quote:
"Actually,high assurance systems are simpler in design than low assurance ones... they just cost more to develop and comments like this push an unjustified stigma."
Oh? Which high-assurance systems are still commercially available and currently evaluated that I'm stigmatizing? Name one OS that is CC evaluated above SLES 9 (thats Suse Linux Enterprise 9) besides IBM's PR/SM.
Is that difficult?
"the EAL is only useful when gaged against a Protection Profile (PP)."
The EALs are generic set of assurances and requirements for people who dont know exactly what they need. If clear documented evaluations in Configuration Management,Delivery and Operation,Developement,Guidance Documents,Life Cycle Support,Tests,and Vulnerability assesment arent useful to you, then "no" its not useful. However these are quite useful to me and the rest of the world.
PP's are sets of assurances and requirements for people who know what they need.
"The ST is the true thing to look at when comparing systems." I would say the ST is the thing to look at when evaluating a system for your needs. Provided you have a PP or know your requirements the ST should answer that for you. The Security Target is the developes answer to a set of requirements people want (PPs) The ST lays out how you meet the PPs requirements and or any other features the developers wants to document. Some ST's maybe mostly in answer to a PP (Like Win200 and SLES9 both basically fulfill CAPP requirements), you may have a ST that doesnt include a PP because it costs so much to have it evaluated.
"however according to the SLES9 ST from the IBM site... Windows 2000 is a more secure system when compared against the Win2k ST from the NIST site."
Thats just a dumb statement. Both ST's show the OSs fulfill CAPP requirements. There are a few features that differ that are not CAPP (and Windows even ommits a few of those with some excuses). Some additional features are documented in Windows, and some in SLES. I fail to see how an you can take two ST's that meet the same criteria(PP), and say one is more secure. This indicates a basic ignorance of the Common Criteria on your part.
-Maestr0
mohaughn,
Yep, didnt know XTS-400 was alive. But I see you are correct. Last I saw was XTS-300 , and I thought they'd gone out of business(again)but looks like its been revived/bought (again) by BAE Systems (and it runs linux stuff too :) ). And by commercial evaluation, I was trying to illustrate the fact that EAL4 is the highest intnatl rating. The only way in the US to get EAL5-7 is through the NSA/Government, so EAL4 would be the highest rating a commercial OS can get here without government friends, . It differs in other countries, but I dont believe the is any agreement yet on EAL5 and up.
Maestr0... you're just digging yourself in deeper, the best part is that you don't even realize it.
Of course we are.Quote:
Arent we discussing assurance right there? Are we reading the same thread?
That rating, the EAL refers to Validation Assurance... or what level of assurance does the system provide to support what it claims to do? (simplified as "does it do the thing right?")Quote:
Evaluated Assurance Level. What could something with a name like that possibly refer to?
When speaking of a "High Assurance System" one must consider both Validation Assurance AND Verification Assurance ("Does this system do the things required to provide a secure environment?" or "Does it do the right thing?")
I could make up a system that meets all the EAL7 requirements, that doesn't even have a security policy. Ever user on the system is a superuser... and because of the high EAL, you know for damned sure that every single user will be a superuser and I'll have heaps of documentation and proofs to back me up on that.
So I'll say it again... The Evaluated Assurance Level (EAL) has very little to do with the security of the system.
Just like every other Linux fan boy on the planet, you have no idea how verification and validation work... you just think that validation is everything. The TCSEC which takes BOTH into consideration evaluates Windows at C2 and Linux at C1. ("I fail to see how an you can take two ST's that meet the same criteria(PP), and say one is more secure. This indicates a basic ignorance of the Common Criteria on your part.") Sure the TCSEC is depreciated while the CC attempts to reflect the same level of depth and granularity... in a few years time when all the EALs and PPs are finished... you will once again see that Windows meets PPs that SLES 9/10/11/12 doesn't meet. To point, the CAPP is not comprehensive... Windows', like SecureOS's EAL4+ rating is considerably more secure than many other EAL4+ ratings, even against the same PPs.
Linux can meet all the validation assurances in the world (assuming they at some point branch from the open source kernel) but they will not meet the verification ones.
Linux's lack of a trusted path, poorly expressive access control systems, failure to segregate administrators and operators, and lack of a reference monitor hold it back... until fundemetal changes are made, Windows will remain more secure.
Now gore... "I've read of others doing this for web sites that were high priority targets on the internet where they would "hack" the web server into the Kernel, take out everything that wasn't needed, and then leave it." You're better off running a single level webserver appliance at this point... like HYDRA. To compare Windows (which can be nearly equally minimized) a general purpose OS against a web appliance... is apples and oranges.
Only part of system security is if the system can be "owned" externally... a far more significant part is the users' ability to trust their system (trusted paths, audit trails, etc), the ability to control very powerful users (segregation of admins and operators), and the ability to very simply and accurately define the smallest set of subjects indicated that may access a given object. Lastly of course is the predictablity of the security model... will it degenerate into entropy eventually... most do. How long? Will rights be able to propigate in an unpredictable manner? That isn't good... why even have a policy?
In the last 6 years... neither Windows nor IIS has had a single instance where a real vulnerability has come out. Vulnerability of course being an exception that allows the system's security policy to be violated. Most systems are configured with far too relaxed polices that allow compromise within the policy. This is not an IIS or OS problem but a system owner problem.Quote:
you can't tell me IIS hasn't had it's large share of problems.
Again, none of these things are vulnerabilities... they are issues where user configure the systems so poorly viruses and worms and application errors can do very bad things... even though they NEVER violate the system's security policy. In other words the viruses and application exploits don't do anything more than what the admin has allowed them to do.Quote:
I just don't get how Windows CAN be more secure than a Unix based OS when it's the only platform with worms and virii and IIS and....IE... IE is crap for security and most people realise that. And you really can't getrid of it without breaking things.
The people at Argus have kinda pissed me off, ever since Jeff Thompson left... I like AIX... but not as a workstation or even as a server if I as responsible for the budget. ;) AIX is a very good system though... in a lot of ways better than Windows of course. But Windows is just so cheap and easy and powerful enough.Quote:
So, Catch, if you were to pick between AIX and PitBull, or Windows 2000, which would you wave your flag for?
Your right, I'm bashing people who misuse standards to support false claims. I do like SUSE, but it isn't as secure as Windows.Quote:
I know you're not bashing SUSE so don't take this as an attack, you know it's not. Hell I've seen you praise SUSE before
cheers,
catch
Has there ever been anything EAL 7? I'm not to good with these ratings. I should find something that explains them sometime.Quote:
Originally posted here by catch
[B]I could make up a system that meets all the EAL7 requirements, that doesn't even have a security policy. Ever user on the system is a superuser... and because of the high EAL, you know for damned sure that every single user will be a superuser and I'll have heaps of documentation and proofs to back me up on that.
Didn't NT get a C2 with no network cable or something? I have a book here somewhere where it's mentoned but I need to find it.Quote:
So I'll say it again... The Evaluated Assurance Level (EAL) has very little to do with the security of the system.
Do you have a link for anything that talks about trusted paths?Quote:
Linux's lack of a trusted path, poorly expressive access control systems, failure to segregate administrators and operators, and lack of a reference monitor hold it back... until fundemetal changes are made,
Windows will remain more secure.
Quote:
You're better off running a single level webserver appliance at this point... like HYDRA. To compare Windows (which can be nearly equally minimized) a general purpose OS against a web appliance... is apples and oranges.
What if cost is a huge factor? Normally price is a big deal, but what if it's cheaper to hire someone to do this than buy the appliance? I know Windows can be dwindled down to something SOMEWHAT bare, but that's only because I know X Box ran a trimmed down version of 2000.
Heh how many worms could be prevented here heh. ;)Quote:
In the last 6 years... neither Windows nor IIS has had a single instance where a real vulnerability has come out. Vulnerability of course being an exception that allows the system's security policy to be violated. Most systems are configured with far too relaxed polices that allow compromise within the policy. This is not an IIS or OS problem but a system owner problem.
Lol, But what about Solaris? Lol. For actual Price Linux is quite nice ;) I mean it's not everyday an Enterprise product is like 399 dollars.Quote:
The people at Argus have kinda pissed me off, ever since Jeff Thompson left... I like AIX... but not as a workstation or even as a server if I as responsible for the budget. ;) AIX is a very good system though... in a lot of ways better than Windows of course. But Windows is just so cheap and easy and powerful enough.
Yea I'm good like that hehe.Quote:
Your right, I'm bashing people who misuse standards to support false claims. I do like SUSE, but it isn't as secure as Windows.
Wow, its like talking to a rock. :)
"So I'll say it again... The Evaluated Assurance Level (EAL) has very little to do with the security of the system."
And I'll say it again, Arent we discussing assurance? I know the difference and can't for the life of me see why you keep bringing security up, I sure as hell didnt. What I was said was commercial OSs aren't high assurance, that SLES is as high as the others, and the OSs that are high assurance are fewer and fewer because they havent kept up with the times, Trusted Solaris was the most common TOS in use, a datacenter edition cost around $80,00 give or take, its gone, now its just extensions to OpenSolaris10. RHEL 5 is going to use CAPP/RBACPP/LSPP and will be the first TOS thats a cheap commercial product. I think your anti-linux attitude prevents you from seeing what a marvelous thing this is.
-Maestr0
P.S.
" however according to the SLES9 ST from the IBM site... Windows 2000 is a more secure system when compared against the Win2k ST from the NIST site." This is still the dumbest thing you've said to date. :)
And you know it.
EDIT:
Gore,
"Has there ever been anything EAL 7" No. Not that anyone would tell you about anyway, without having to kill you. <EDIT> Not any OS's
"Didn't NT get a C2 with no network cable or something?" The Orange book was for individual multiuser systems. Think mainframes and terminals, the internet wasnt near as cool in 1985 :). The Red Book was the same theory expanded to cover networking principles.
"Do you have a link for anything that talks about trusted paths?"
Trusted Solaris is a good and well documented system. Go to Sun and read all about it.
As for your web server thingy, No. Applications have no business in kernels. Run a custom linux kernel with nothing but Apache and put it on a read only solidsate FS and call it an appliance. Or even smarter do like Catch said and buy one from somone who did it for you.
P.P.S. Happy Thanks giving to everyone in the states, and have a great Thursday to everyone else.