× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  • Subject: RE: INCREDIBLE - what am I missing here... ??? !!!
  • From: edfishel@xxxxxxxxxx
  • Date: Fri, 29 Sep 2000 11:18:04 -0500
  • Importance: Normal

Rob & John,

I cannot ignore the inaccurate statements about C2 any longer.  Rob wrote:

>I don't think IBM has went for C2 certification since (V3R2 or V2R3, I
>can't remember).  The problem was it only was certified if the 400 was in
a
>locked room with no wiring leaving the room.  That's when IBM decided that
>it had no value to any of the customers.

Please look at  http://www.radium.ncsc.mil/tpep/epl/epl-by-vendor.html and
scroll down the list for IBM system that have received a TCSEC evaluation.
The AS/400 has been evaluated five times. The last time was for a V4R4 RISC
system that included TCP communications. You can also go to
http://www.radium.ncsc.mil/tpep/epl/entries/CSC-EPL-95-006-D.html to read
more details.

C2 has value to us (IBM) and our customers because the process of being
evaluated by an independent body helps us to find and fix security
problems. It also has a value for those releases of AS/400 that have not
been evaluated because we still follow those processes needed to design the
system to meet the C2 requirements. In other words AS/400 security today is
better because it was evaluated five times in the past.

John wrote this response to the someone else's statement:

> . . .                                             C2 is a process that
>involves continuous auditing as much (or even more so) than configuration
>settings.

It is true that auditing is very important to a C2 system, but
configuration is more important. A C2 system does not have to have all
auditing turned on. The important thing is that the system administrator
can turn on auditing for each security relevant event they want to audit.
A system is only considered to be the C2 system when the operating system
is installed as prescribed on hardware that was part of the evaluation. If
someone were to take an AS/400 that was correctly installed as a C2 system
and changed important security system values, such setting QSECURITY to 30,
then the system would be out of configuration and could no longer be called
a C2 system.

Ed Fishel,
edfishel@US.IBM.COM


+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.