Network Security: Red Book vs. Orange Book Evaluation
Articles and Tips: tip
01 Jun 1996
Being able to differentiate between "Red Book" and "Orange Book" certification of a networking product is important because your application environment depends on the security that the underlying network product provides. This NetNote looks at what it means to meet the evaluation requirements for "Red Book" versus "Orange Book" certification. It also explains how commercial network products, such as Microsoft's Windows NT and Windows NT Server, and Novell's Class C2/E2 release of NetWare 4, conform to meet these evaluation criteria.
Clear documentation is available that defines the relationship between the Trusted Network Interpretation (TNI, or the "Red Book") and the Trusted Computer System Evaluation Criteria (TCSEC, or the "Orange Book"). A network system (such as the upcoming Class C2/E2 release of NetWare 4) that is being evaluated to meet Red Book certification also meets Orange book certification. In contrast, an evaluation for only a single component under the TCSEC does not provide security for a "network" that contains the component.
Commercial Product Evaluation Context
The relationship between the evaluation requirements of TCSEC and TNI are presented in the TNI Introduction. Unless noted otherwise, the quotations in the following paragraphs are direct quotes from the Red Book introduction.
The Class C2 evaluation process that Novell is pursuing is focused on "commercial" or off-the-shelf products that are distributed in the general marketplace. (To the best of our knowledge, Microsoft is pursuing this type of evaluation as well.) This approach does not fall under the unique niche-market case that applies for special military or other governmental systems, where "an evaluation can be done to assess whether appropriate security measures have been taken to permit the system to be used operationally in a specific environment."
Novell is following the requirements as stated by the TCSEC, which are to "provide guidance to manufacturers as to what to build into their new, widely-available trusted commercial products in order to satisfy trust requirements for sensitive applications." These requirements are growing in both the public and private sectors.
To meet the security needs of our customers, Novell is using NetWare 4.1 as the baseline for a modest set of security enhancements to form the Class C2/E2 release that will be submitted for evaluation. As noted in the TNI, this type of evaluation "is done by the National Computer Security Center through the Commercial Product Evaluation Process."
Relationship Between Red Book and Orange Book
Evaluation for a "network system" under the TNI requires that you meet all of the TCSEC requirements for the same class. TCSEC defines a network system as "the entire collection of hardware, firmware, and software necessary to provide the desired functionality." In other words, it is the complete network as operated by our customers. The current Novell evaluation effort that provides this solution is expected to earn a rating of Class C2.
The documentation from the National Computer Security Center (NCSC) makes it clear that there is no lower value for such an evaluation. For example, the TNI explicitly states that "the fundamental computer security requirements as defined in the TCSEC apply to this Interpretation." This compatibility is emphasized in the following TNI excerpt:
"In order to ensure strict compatibility between TCSEC evaluated . . . [networks], and to avoid the possible evolution of incompatible evaluation criteria, . . . this document has been specifically prepared as an INTERPRETATION of the TCSEC for networks. It is based entirely on the principles of the TCSEC, uses all TCSEC basic definitions, and introduces new concepts only where essential to understanding the TCSEC in a network context. Unless otherwise stated, the TCSEC requirements apply as written."
The Role of Network Components
One of the concepts beyond the TCSEC (Orange Book) that is introduced in the TNI is that networks can be (but are not required to be) constructed of independently-evaluated "trusted components." This is the approach being used in the current Novell Class C2 evaluation, but to the best of our knowledge, Microsoft is not satisfying these TNI requirements.
For TNI evaluation, "The policy enforcement by trusted components in a single trusted system' exhibits a common level of trust throughout. . . . Networks such as these can be evaluated against this Interpretation and given a rating compatible with trusted [systems] evaluated by the TCSEC itself."
The following excerpt from the TNI makes the significance of this kind of evaluation for interconnected components clear:
"The TCSEC provides a means for evaluating the trustworthiness of a system and assigning an evaluation class based on its technical properties--independent of the particular use for or the sensitivity of information being processed on the system. In this Interpretation, a network as a whole with its various interconnected components is recognized as a special instance of a trusted system."
There are three major components in a NetWare network: the client, the server, and the network medium. The primary Red Book evaluation effort from Novell is focused on the client and server components. (For more details, see "An Introduction to Novell's Open Security Architecture" in the August 1994 Novell Application Notes.)
From this perspective, all relevant components and their method of interconnection must be evaluated before you can validate the security of the "entire" network. Nothing less than this will meet the needs of the customer, because they must be concerned for the security of the whole network, not just portions.
"Any network evaluated under this interpretation must possess a coherent Network Security Architecture and Design." This is commonly referred to as the NSAD. Novell has prepared its NSAD that reflects several innovative approaches to permit a truly open, secure architecture for our customers. (More on this next month.)
In contrast, to the best of our understanding, Microsoft has evaluated its Windows NT client and Windows NT Server only as a single, non-networked components. Once you install a network interface board, these components are no longer Orange Book compliant because they were not tested with such a configuration. Excerpts from the National Computer Security Center (NCSC) Evaluated Products List (EPL) point out the progress of products in the evaluation process. The EPL as of July, 1995, states the following:
"The Microsoft Windows NT Service Pack 3 for Windows NT Workstation and Windows NT Server must be included to be in the evaluated configuration. . . . Because the evaluated configuration does not include a network environment, both products are considered standalone workstations. The security relevant differences between Windows NT Workstation and Windows NT Server in the evaluated configuration are minimal. . . . A network configuration of the Windows NT platform is currently pending evaluation agreement."
The TNI requires that "the Network Security Architecture and Design must be available from the network [vendor] before evaluation of the network, or any component, can be undertaken." Therefore, when there is only a single component, evaluation is usually done under the TCSEC (Orange Book) rather than under the TNI (Red Book), because the TNI would require that there be an NSAD.
As of May 9, 1996, there is no evidence that development at Microsoft has progressed to the point of a viable NSAD. In other words, Microsoft customers will not have the security of their whole network evaluated if it is based on the Microsoft solution, because Microsoft's present offering does not meet the following TNI requirement:
"In order for a trusted network to be constructed from components that can be built independently, the Network Security Architecture and Design must completely and unambiguously define the security functionality of components as well as the interfaces between or among components. The Network Security Architecture and Design must be evaluated to determine that a network constructed to its specifications will in fact be trusted, that is, it will be evaluatable under these Interpretations."
C2 Certification for a network environment does not begin until a "Blue Letter" has been sent. As of May 9, 1996, the NCSC has posted no such letter of agreement that certification for Windows NT for C2 Red Book has started or is in progress, or has changed from its original status presented in July, 1995.
A network system that has been evaluated as meeting the TNI (such as the Class C2/E2 release of NetWare 4.1) also meets the TCSEC requirements. In contrast, a product having an evaluation for only a single component under the TCSEC (such as Microsoft has for both client and server versions of Windows NT) does not provide a basis for establishing the security of a "network" that contains such a component. For customers concerned with the security of their network, evaluation under the TNI should be a key differentiator in favor of Novell's pending solution.
* Originally published in Novell AppNotes
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.