Firewall Wizards mailing list archives
Re: Trusted Unices Aren't?
From: Randy Taylor <rtaylor () mail cist saic com>
Date: Fri, 16 Oct 1998 13:21:30 -0400
Small comments inline... At 03:51 PM 10/16/98 +0400, ark () eltex ru wrote:
-----BEGIN PGP SIGNED MESSAGE----- nuqneH, /* First, an "offtopic killer": somebody from SCO suggested using TIS fwtk under SCO CMW+ as very secure firewall solution (fwtk-users () tis com ml) */ It seems that nearly nobody noticed that one of latest vendor-initiated bulletin for CERT (mscreen) listed SCO CMW+, a-claimed-to-be-close-to-B2 upgrade for SCO Unix, in the list of vulnerable systems. Said to be possible root compromise. How can this happen? How can "a serial multiscreen utility", a program that should have nothing like root privileges on an MLS system, be vulnerable _that way_? Does that just mean that at least _some_ "hardened unix" vendors just allow generic "suid root" programs running in this environment, thus completely trashing the whole MLS model?
Dunno, but back when the SCO CMW+ was a SecureWare product, you could brute-force rlogin attempts all day long on a fully configured CMW+ box and the OS didn't mind one whit - raised nary an alarm. This was around mid-late 1993 to early 1994. I heard that SCO bought SecureWare a year or two ago, meaning I wasn't surprised at all by the CERT announcement.
Does that mean that you need, say, VMS, if you need _real_ multilevel security? What about closer look to Trusted Solaris, DG/UX, whatever else exists on this market?
_shrug_ I've seen a lot of CMW's in the field. Most had the roles and levels munged so that the box was pretty much at C2 level. Reason? Usability. ;) _ _ _ _ _ _ _
{::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one!
Best regards, Randy Taylor SAIC (and speaking only for himself) ----- One of the most striking differences between a cat and a lie is that a cat has only nine lives. -- Mark Twain
Current thread:
- Trusted Unices Aren't? ark (Oct 16)
- Re: Trusted Unices Aren't? Randy Taylor (Oct 16)
- <Possible follow-ups>
- Re: Trusted Unices Aren't? steve . gailey (Oct 19)
- Re: Trusted Unices Aren't? ark (Oct 23)
- Re: Trusted Unices Aren't? Jeremy Epstein (Oct 23)
- Re: Trusted Unices Aren't? Rick Smith (Oct 28)
- Re: Trusted Unices Aren't? Paul D. Robertson (Oct 29)
- Re: Trusted Unices Aren't? dreamwvr (Oct 29)
- Re: Trusted Unices Aren't? Gordon Greene (Oct 29)
- Re: Trusted Unices Aren't? Jeremy Epstein (Oct 23)
- Re: Trusted Unices Aren't? Joseph S. D. Yao (Oct 27)
- Re: Trusted Unices Aren't? Jeremy Epstein (Oct 23)
- RE: Trusted Unices Aren't? Gregory Perry (Oct 28)