Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 10 Oct 2002 19:08:03 -0400 (EDT)
From:      Robert Watson <rwatson@FreeBSD.ORG>
To:        Terry Lambert <tlambert2@mindspring.com>
Cc:        Craig Rodrigues <rodrigc@attbi.com>, Steve Kudlak <chromexa@ovis.net>, "Roman V. Mashak" <mrv@tv2.tomsk.ru>, "'hackers@freebsd.org'" <hackers@FreeBSD.ORG>, "Nelson, Trent ." <tnelson@switch.com>, chris@FreeBSD.ORG
Subject:   Re: C-2(Security) blues and the like
Message-ID:  <Pine.NEB.3.96L.1021010190035.39392H-100000@fledge.watson.org>
In-Reply-To: <3DA6059A.C248EF9F@mindspring.com>

next in thread | previous in thread | raw e-mail | index | archive | help

On Thu, 10 Oct 2002, Terry Lambert wrote:

> Craig Rodrigues wrote:
> > On Thu, Oct 10, 2002 at 06:34:30PM -0400, Robert Watson wrote:
> [ ... where to get security standards ... ]
> 
> Cool.  You guys are a wealth of information.. 
> 
> Robert: any chance of this finding its way into a docs secion on the
> TrustedBSD.org web site? 

Yeah, I was thinking that myself.  At one point were were going to stick
up a bibliography, but I never quite got around to it.  I've CC'd Chris
Costello <chris@FreeBSD.org> in this e-mail--he's been doing TrustedBSD
docs work, and can probably help put something together.  At the very
least we'd want to have references to:

  CC, both at ISO, NIST, etc

  Various relevant protection profiles, including (historically) the
  Orange Book, but more recently CAPP, LSPP, and the boatload of other
  profiles floating around (they exist for secure routers, etc, etc). 

  Links to the MAC documentation in the developer's handbook.

Any other papers people think are relevant.  Also, we have a recent Design
+ Implementation paper submitted to the DISCEX III conference, I'm going
to see if I can't get that up on the web page.

BTW, my earlier comments still stand -- I think we have a grasp on the
feature sets for most of these profiles, but what we don't have is an
organization willing to carry through on the evaluation process.  For
grins, it probably costs between USD 500k and USD 1.5m.  CC/CAPP and
CC/LSPP are a bit less focussed on the dual hardware/software
configuration, but you do still have to update the certification at each
new release (not very hard for a branch like -STABLE).  The goal of having
such a certification would be to get in the door with DoD, better with the
banking community, etc.  Right now, as I mentioned previously, if your OS
product isn't already in evaluation, DoD needs special exemptions to use
the software, apparently.

If we could find a vendor interested in selling FreeBSD
distribution/support to some bit of DoD, I could probably help raise
funding for missing components.  Not enough to cover all of the evaluation
-- that would require substantial private investment, but certainly enough
to do supporting infrastructure and assurance stuff.  Probably the best
thing to do is find a bit of DoD already using FreeBSD and being forced to
switch off by NIAP requirements, and connect them with a FreeBSD vendor
willing to do some of the work (for a fee). 

FWIW, I'm aware of several products based on FreeBSD that are either in
evaluation, or have been evaluted.  Most of the time it's in the context
of an embedded network product, so the differences are pretty substantial,
though.  If we did find appropriate sponsorship and a home for the
project, we could probably get FreeBSD to EAL3/CAPP by 2003Q3.  Being "in
evaluation", as mentioned, would be enough to keep making sales.

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert@fledge.watson.org      Network Associates Laboratories



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1021010190035.39392H-100000>