Novell's Class C2 Level Security Evaluation "For a Network"
Articles and Tips: article
Senior Research Engineer
Novell Developer Information
01 Jul 1997
When Novell's Class C2 security evaluation is completed this summer, it will be the first trusted commercial operating system for a network: that includes server, client, and all connectivity pieces in between. Read all about it here!
Novell is nearing the conclusion of the Class C2 security evaluation through the National Computer Security Center (NCSC). When this process is completed, Novell will offer its customers the first trusted "out-of-the-box" commercial operating system that has been Class C2 evaluated for a network. Novell's approach for a Class C2 network evaluation requires that the network system be able to effectively handle any discovered flaws in the security on any of the evaluated network components. This includes workstation client and server hardware and their operating systems, and all connectivity pieces in between.
This AppNote provides a quick overview of what Novell's Class C2 evaluation will mean to our customer base. It describes the new security paradigm established by Novell and identifies how most companies will ramp up to C2 level security. It then explores the ramifications of C2 security on information sharing in interconnected environments.
For more information on Novell's security efforts, visit the IntranetWare web site at:http://www.novell.com/intranetware
Unlike Microsoft's Windows NT, which was evaluated as a standalone server without network capability (it was evaluated with no network adapters installed), Novell's server operating systems are being evaluated as a fully operational server connecting with fully operational workstations. Novell's evaluation addresses not only proper standalone authentication at the workstation, but extends to the actual mechanisms involving proper authentication across the wire to the "fully operational" network server-with network adapters included. For Novell customers, this means an "out-of-the-box" network security infrastructure, one which provides real Identification and Authentication (I&A), along with accountability for who is logged in and what they can and cannot access.
This is no small point. Many operating systems have access controls that lack the strength-of-mechanism ability to prevent data disclosure, or they are without the means to prevent users from circumventing those controls. Other operating systems, perhaps with strong controls, do not prevent audit data manipulation or circumvention. This is an equally threatening problem, since the audit record can be manipulated to tell a different story from what really happened.
A New Security Paradigm
Given Novell's approach, some proponents of one operating system over another will point out that Novell's first offering does not include Microsoft's Windows NT or Windows 95 client at the workstation (not in the evaluated configuration), and that Microsoft's standalone evaluation is still valid, maintaining its Evaluated Product List entry with the U.S. Government.
That is true. However, in its first offering, Novell's evaluated modular network architecture provides for something which no competitor has ever proposed. It is a complete network security infrastructure which is modular in nature, meaning that you can plug in any client operating systems and connectivity elements that have been evaluated at Class C2 "For A Network" under Novell's architecture, and the system will still meet Class C2 level ratings. This Global Security Architecture allows for a quick and rapid evaluation at the Class C2 level for any change in network components, providing customers with a clear migration path for future developments.
Partners, developers, even customers can now develop "trusted" components, such as trusted workstations, trusted wire technologies, and trusted server components, without having to re-evaluate the entire network for Class C2 every time. Only the component being replaced requires re-evaluation. Once the component completes the Class C2 network evaluation, customers can acquire new security products rapidly and economically. This will allow customers to design trustable networks from inexpensive commercial components.
These abilities to propose, evaluate, and acquire commercial components for an evaluated network architecture are a boon to both developers and customers. However, customers, partners, and developers must continue to state their real security needs if they are to retain these abilities.
Where Most Companies Will Begin
Getting the most security benefit for customers, planners, or even vendors is the main point of Class C2. Bear in mind that you must have the Class C2 operating system (IntranetWare version 4.11), and you have to install it with the commands contained in the SECURITY.NCF file and in accordance with security documentation in order to get the higher level of assurance associated with Class C2.
At first, many companies will limit their approach to security as in the following scenario. A company with some version of NetWare, perhaps version 3.12, upgrades to version 4.11 to obtain the benefits of Novell Directory Services (NDS). Through this upgrade, they obtain the "ability" to run a Class C2 level system. However, for our scenario, they choose not to run an entirely evaluated configuration. They omit some setup steps or components across the entire network. They are just relying on the baseline technologies to be adequate for their general purposes.
This is where most companies will probably start. It is also where most existing NetWare/IntranetWare networks can migrate from in their business implementations. The benefit these companies gain through the Novell approach is that they can create "islands of security" with a higher level of protection from out-of-the-box NetWare/IntranetWare. They can also obtain a trustable level of assurance on any specific network system they have by installing and configuring to Novell's evaluated configuration.
Secure Information Sharing
Novell took the above-stated security approach in order to facilitate a security solution for one of the major issues companies now face: information sharing. While many companies recognize that they have certain information that even employees must not spread around in the company, they have no specific way of controlling the distribution of that informationCeven with firewalls in place. (You must recognize that a single employee with a modem can unintentionally foil the entire firewall scenario.)
Yet, even though Class C2 evaluation criteria do not handle information distribution and electronic commerce problems of this nature, they do meet the Class C2 critera which you must have to get any "assurance" that the system really does know, and did properly record, who is using and accessing information in sensitive areas of your company.
Many companies are looking to interconnectivity as a means of granting new levels of information access and providing information to customers, while maintaining information control. But interconnectivity implies information sharing, which has its own set of problems and solutions well above Class C2, in the Class B areas.
For instance, you send an e-mail message or a proposal that may be going outside your company. Yet you do not have any commercially-available basis to ensure the proper safeguards on the integrity of that transmission unless you are using a Class C2 trusted workstation; otherwise, data integrity can be altered and compromised.
As another example, suppose some other company sends you a virus along with your receipt of a purchase order. Because it is included with a "legitimate" piece of data, the virus sails right past your company's security restraints. In this case, Class C2 level network will catch the virus if it tries to execute beyond your authority and your workstation will accurately record the event.
A final example: suppose your administrative assistant accidently sends a copy of your stock options along with e-mail to someone-inside or even outside your company. Only Class B solutions are evaluated to provide this level of document and data security. Yet without the network-oriented and improved controls for discretionary access controls, identification, and audit capabilities, any assignment of responsibility could be easily disputed.
Requirements for interconnectivity and information sharing need to offer increased levels of assurance for data protection which is built on the foundation that Class C2 provides. Yet, for this kind of assurance, manufacturers are still lagging behind in the deployment of existing technology. For example, Internet browsers, which can use Secure Sockets Layer protocol (SSL) for a security feature, can only guarantee that the machine the server is talking to is still the right machine that logged in. SSL does not help you if you are talking to a copy of that machine, or if someone other than the intended owner is using the machine.
The real difficulty is that security providers-Novell, Microsoft, IBM, Sun, and others--do not have customers clearly stating their requirements in the security area for commercial network operating systems. End-user companies have been slow to clarify their security needs, to develop adequate corporate policy to protect their information, or even to demand the technologies they need. For instance, suppose you download a new version of your favorite browser, which is now coming in through your company's security restraints. You have no idea whether that browser is giving away your passwords to someone else every time you use it. This is true even if you do have a Class C2 evaluated network or workstation, as this particular element needs a greater solution than what is currently available.
C2-Only the First Step
Admittedly, information sharing raises different problems than those that Class C2 security is designed to handle. Many of those issues are actually handled at a higher level of evaluated products, but it is necessary to recognize that information security products will need to be developed upon the very basis from which NetWare Class C2 was evaluated. Vendor claims to protect data with proper Authentication (I&A), Audit controls (A), and Discretionary Access Controls (DAC) do not mean that they really protect your data. Only real and workable standards from "Red Book" (TNI) evaluations can claim the versatility and levels of assurance that Novell customers need.
While the rest of the industry catches up to what it means to really have a trusted working environment, companies must consider upgrading their current network operating systems to a network-evaluated Class C2 systems if they are to put real information privacy into place. The issue is trust, and in order to do business in an electronic environment, you have to "know" who you are doing business with at the other end. That requires the assurance by independently verified sources that your protections are adequate to the level of liability you want to assume in the transaction. (See the AppNote entitled "From Paper to Electrons: Initiating Safer Electronic Commerce" in the June 1997 AppNotes for more information on a secure e-comm infrastructure.)
The implications of running sensitive business software and creating sensitive business data files without "trustable" systems are well known. A Class C2 network certified operating system is a first step toward building trusted network systems, and toward fulfilling business needs for distributed document management, transaction processing, workflow, and so on, in a trustable space.
* Originally published in Novell AppNotes
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.