Date: Thu, 10 Oct 2002 19:08:03 -0400 (EDT) From: Robert Watson <rwatson@FreeBSD.ORG> To: Terry Lambert <tlambert2@mindspring.com> Cc: Craig Rodrigues <rodrigc@attbi.com>, Steve Kudlak <chromexa@ovis.net>, "Roman V. Mashak" <mrv@tv2.tomsk.ru>, "'hackers@freebsd.org'" <hackers@FreeBSD.ORG>, "Nelson, Trent ." <tnelson@switch.com>, chris@FreeBSD.ORG Subject: Re: C-2(Security) blues and the like Message-ID: <Pine.NEB.3.96L.1021010190035.39392H-100000@fledge.watson.org> In-Reply-To: <3DA6059A.C248EF9F@mindspring.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 10 Oct 2002, Terry Lambert wrote: > Craig Rodrigues wrote: > > On Thu, Oct 10, 2002 at 06:34:30PM -0400, Robert Watson wrote: > [ ... where to get security standards ... ] > > Cool. You guys are a wealth of information.. > > Robert: any chance of this finding its way into a docs secion on the > TrustedBSD.org web site? Yeah, I was thinking that myself. At one point were were going to stick up a bibliography, but I never quite got around to it. I've CC'd Chris Costello <chris@FreeBSD.org> in this e-mail--he's been doing TrustedBSD docs work, and can probably help put something together. At the very least we'd want to have references to: CC, both at ISO, NIST, etc Various relevant protection profiles, including (historically) the Orange Book, but more recently CAPP, LSPP, and the boatload of other profiles floating around (they exist for secure routers, etc, etc). Links to the MAC documentation in the developer's handbook. Any other papers people think are relevant. Also, we have a recent Design + Implementation paper submitted to the DISCEX III conference, I'm going to see if I can't get that up on the web page. BTW, my earlier comments still stand -- I think we have a grasp on the feature sets for most of these profiles, but what we don't have is an organization willing to carry through on the evaluation process. For grins, it probably costs between USD 500k and USD 1.5m. CC/CAPP and CC/LSPP are a bit less focussed on the dual hardware/software configuration, but you do still have to update the certification at each new release (not very hard for a branch like -STABLE). The goal of having such a certification would be to get in the door with DoD, better with the banking community, etc. Right now, as I mentioned previously, if your OS product isn't already in evaluation, DoD needs special exemptions to use the software, apparently. If we could find a vendor interested in selling FreeBSD distribution/support to some bit of DoD, I could probably help raise funding for missing components. Not enough to cover all of the evaluation -- that would require substantial private investment, but certainly enough to do supporting infrastructure and assurance stuff. Probably the best thing to do is find a bit of DoD already using FreeBSD and being forced to switch off by NIAP requirements, and connect them with a FreeBSD vendor willing to do some of the work (for a fee). FWIW, I'm aware of several products based on FreeBSD that are either in evaluation, or have been evaluted. Most of the time it's in the context of an embedded network product, so the differences are pretty substantial, though. If we did find appropriate sponsorship and a home for the project, we could probably get FreeBSD to EAL3/CAPP by 2003Q3. Being "in evaluation", as mentioned, would be enough to keep making sales. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1021010190035.39392H-100000>