security levels, V.4

[Brian Beattie]

In article <1990Nov30.145545.29792 at murdoch.acc.Virginia.EDU> Ran Atkinson <randall at Virginia.EDU> writes:
>
>If folks dislike C2, they will be much more unhappy with B2.  I on the other
>hand prefer at least a B1 system because it is much safer from breakins

B1 is no more resitant to breakins than C2.
in fact the C2 requirements for I&A (login and password)
are the same as for B2.
A properly administered C1 system is
as safe from _breakin_ as a B2 system.
The extra requirements for B1 and B2 are for
labeling of data and are required to prevent
users with accounts from accessing data improperly
not for preventing unauthorized access to the machine.
It is a common misconception that the higher the rating
the more secure the system is from breakin, this is
generally not the case.

>and such.  I'll not bore folks with the differences between C2 and B1 or B2;
>if you want to know more, go read the Orange Book.
>
>  Ran
>  randall at Virginia.EDU


-- 
It is easier to build a   | Brian Beattie          (703)471-7552
secure system than it is  | 11525 Hickory Cluster, Reston, VA. 22090 
to build a correct system.|
           M. Gasser      | ...uunet!visenix!beattie