|
Continued … The Orange Book / TCSEC:
Hierarchical division of security levels -
A - Verified protection
B - Mandatory protection
C - Discretionary protection
D - Minimal security
Topics - Security policy, accountability, assurance and documentation
Areas -
Security policy - Must be explicit and well defined and enforced by the mechanisms within the system.
Identification - Individual subjects must be uniquely identified.
Labels - Access control labels must be associated properly with objects.
Documentation - Includes test, design, specification documents, user guides and manuals.
Accountability - Audit data must be captured and protected to enforce accountability.
Life cycle assurance - Software, hardware and firmware must be able to be tested individually to ensure that each enforces the security policy in an effective manner throughout its lifetime.
Continuous protection - The security mechanisms and the system as a whole must perform predictably and acceptably in different situations continuously.
Evaluation levels -
D - Minimal Protection
C1 - Discretionary Security Protection
C2 - Controlled Access Protection
B1 - Labeled Security
B2 - Structured Protection
B3 - Security Domains
A1 - Verified Design
The Red Book / TNI:
TNI - Trusted Network Interpretation.
Addresses security evaluation topics for networks and network components.
It addresses isolated local area networks and wide area internetwork systems.
Security items addressed:
* Communication integrity
-- Authentication
-- Message integrity
-- Nonrepudiation
* Denial of service prevention
-- Continuity of operations
-- Network management
* Compromise protection
-- Data confidentiality
-- Traffic flow confidentiality
-- Selective routing
Ratings -
- None
- C1 - Minimum
- C2 - Fair
- B2 - Good
|
|
