From owner-freebsd-questions Fri Mar 15 15:32:55 2002 Delivered-To: freebsd-questions@freebsd.org Received: from satyr.host4u.net (satyr.host4u.net [216.71.64.14]) by hub.freebsd.org (Postfix) with ESMTP id 876ED37B402 for ; Fri, 15 Mar 2002 15:32:44 -0800 (PST) Received: from eli (onlinecables.net [63.204.24.242] (may be forged)) by satyr.host4u.net (8.11.6/8.11.6) with SMTP id g2G060a07886; Fri, 15 Mar 2002 18:06:00 -0600 From: "Robert Shea" To: "Darren Reed" , "Dr. Evil" Cc: , , , Subject: RE: Security: FreeBSD vs OpenBSD Date: Fri, 15 Mar 2002 15:28:38 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <200202030549.QAA21515@caligula.anu.edu.au> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG The "Orange Book" (DOD-5200.28-STD) mostly recives flack from ill-educated individuals who don't understand it. It is, for the most part an excellent measure of system security and has remained amazingly timeless (what other computer doc from 1985 is still by and large acurate today) it's said that 2 years is a generation in the computing world, I think 17 (and counting) is a wonderful example of forward thinking. Many of these trusted systems are used in high threat enviroments. (Trusted Solaris, HP-VV (formerly HP-UX BLS), CA-CFA2 MVS w/MAC are fine examples from Sun, HP and IBM respectively.) These systems, as Darren stated are not cheap, however up and coming TOS's can be acqyired for free such as the aforementioned SELinux, TrustedBSD, Pitbull/LX (for non-commercial use of course) another main difference is that most people are highly resistant to the idea of trusted systems. Any number of reasons can explain this, people know and love UN*X and don't want to learn something different is a likely culprit, but in my experinces in these discussions in the past, most people are very resistant to the idea of an OS being more secure then UN*X. Mostly however... if you take that step and accept that the trusted system philosophy is on to something, the next thing you need to overcome is that according to the Orange Book, NT is more secure then standard UN*X, sad to say but the majority of admins are unwilling to accept such a (*shoots himself for using this phrase*) paradigm shift when it puts their years of making fun of NT'ers in the wrong. ;) robert %I find that somewhat amusing, given all the flack the Orange Book model %has received over the years. The above description fits a high level B %or A grade machine (your OpenBSD doesn't even qualify for C2 %as can Solaris %and friends). Given that there are already products available %which have %been designed with capabilities in mind, from scratch, shouldn't we all %be using those in environments where security must come first? % Oh, most %of them aren't free or available for pennies, either... % %Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message