Re: Trusted Unices Aren't?

[Rick Smith <rick_smith () securecomputing com>]

At 09:02 AM 10/29/98 -0500, Paul D. Robertson wrote:

> I've always been surprised that nobody has jumped on the "secure Web 
> server" market, especially in the commerce environments.  ....

Me, too. Here at SCC we stick our toe in every so often, but haven't made
much of a splash.

An early version of Sidewinder was offered in a form that supported the
Netscape Commerce Server in a type enforced partition. The notion was that
a successful penetration of the Commerce Server process would generate a TE
violation and raise the alarm while similar behavior on an COTS OS would go
unnoticed. We don't have any such offering at the moment.

A couple of our former colleagues went to SecureWare in Atlanta. SecureWare
implemented a secure online banking system on their CMW, complete with a
100% functional demo bank. They were very happy with the fact that the
Comptroller of the Currency approved their implementation. The "demo" bank
was such a success that it bought out one part of SecureWare and HP bought
out the rest. HP's "Virtual Vault" is the result -- another attempt to
commercialize secure servers. I don't know how successful they've been, but
I heard discouraging rumors several months back.

Every now and then I see other MLS or CMW vendors offering similar things
at trade shows. I rarely see these things featured, and they don't appear
to prosper as product lines.

Marcus noted a while back that the big driver in e-commerce is the cost per
transaction. It costs more to buy a high security platform and it costs
more to implement an application atop one. So the higher security is only
going to happen if the online application is significantly more profitable
than existing processes *and* the perceived risk is high enough. Although
we might like to talk about highly profitable raids on e-commerce
operations, real world experience hasn't reached the level where people are
really scared of it.

Rick.
smith () securecomputing com