[Security_sig] Conf. call minutes 6/10

Makan Pourzandi Makan.Pourzandi at ericsson.com
Mon Nov 1 06:31:40 PST 2004


Hi Ed,

Sorry for my late answer, I just read your email that's since my main 
effort is now on working with SAF related security issues, and then my 
time for participating in CGL security has been reduced. Anyway, my 
apologies in advance for my sometimes late answers.
Back to your remark, you're right, bear in mind that this my personal 
opinion, I believe that there is more and more people believing  that 
there is more need for a better configuration of the existing security 
mechanisms than introducing new security paradigms. I have to say that 
this makes sense, actually I remember reading some reports from IBM and 
else stating that the first cause of compromise/exploits for servers is 
the misconfiguration. As you mentioned, introducing new technologies is 
always difficult, for many MAC is directly associated to SE Linux, and 
the Fedora experience with SE Linux turned out _not_ to convince people 
that SE Linux (for many then MAC) is mature for prime time. Once again, 
in my personal opinion, there is need for MAC on some parts of the 
cluster, though we should work more to simplify SE Linux administration. 
For time being, it seems from what I read across telecoms industry press 
that the resources are more put on correctly using the existing security 
mechanisms rather than introducing new techniques. Personally, I don't 
believe that  it's bad for the industry.
IMHO, we will come back to MAC in the future when the maintenance and
administration of SE Linux is more mature (I mention SE Linux instead of
MAC as SE Linux is the most mature product implementing MAC on Linux,
please correct me if I'm wrong?), then we should keep MAC as a priority
for future releases of CGL. But for time being, I don't believe that we
should impose on our admins the difficulties of maintaining SE Linux in
production environment.

Regards,
Makan


Ed Reed wrote:
> hmmmm...remember, Makan - EAL4 and MAC are completely 
> unrelated things.  
> 
> MAC is a feature, support for some security policy.
> 
> EAL4 is an assurance level associated with the design, development,
> delivery, installation, and support of the system, whatever
> its functionality.
> 
> For instance, it's quite common for systems supporting the
> Controlled Access Protection Profile (CAPP) to support either
> EAL3 or EAL4 levels of assurance, though they only have
> Discretionary, not Mandatory, Access Controls.
> 
> CGL may well require EAL4 and still not support MAC.
> 
> Ed
>  
>  
> 
>>>>Makan Pourzandi <Makan.Pourzandi at ericsson.com> 06/10/04 6:07 pm >>> 
> 
>  
>  
> 
>>Emily:  MAC is in CGL spec w/ priority level 3.  Is this required? 
>>
> 
> Hi, 
>  
> I remember in the Market Requirement Document (MRD) for CGL 3.0 which 
> was sent to the cgl-specs mailing list several months ago, there was a 
> requirement to support EAL 4 for cgl 3.0. What happened to that 
> requirement? Am I right to think that if we want to support that 
> requirement we should have MAC? 
> I believe that  requirement has been added to MRD because many 
> governments ask for EAL 4 compliance for "important" systems (included 
> many carrier grade servers). Am I right to think so or it's not yet 
> implemented in the facts? 
>  
> Regards, 
> Makan 
> ---------------- 
> Makan Pourzandi, 
> Ericsson Research Canada 
> *This email does not represent or express the opinions of Ericsson Inc. 
>  
>  
> 
>>
>> 
>>
> 
>  
> security_sig mailing list 
> security_sig at lists.osdl.org 
> http://lists.osdl.org/mailman/listinfo/security_sig 
> 

-- 

Makan Pourzandi, Open Systems Lab
Ericsson Research, Montreal, Canada
*This email does not represent or express the opinions of Ericsson Inc.*



More information about the security_sig mailing list