[CCCure CISSP] Question relating to TCSEC

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[CCCure CISSP] Question relating to TCSEC

aditya
Hello All,

Q) I wanted to know that which security level is the first to require a system to protect against covert timing channels?

Ans- Since covert channel analysis is implemented in the B2 level only, so the first becomes B3 since B3 would require to meet all requirements of B2? Then cant it be A1 since A1 would need to 
meet all requirements of B3?


Q) On the same lines, which security level would be the first to require the system to support separate operator and system administrator roles?

Ans- According to the AIO book which I am following,  B2 starts the protection for separate operator and system administrator roles. So wont B3 and similarly A1 inherit this requirement so the first level would become A1 again??

I am really confused, please help
--
Regards
Aditya Balapure


_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
Reply | Threaded
Open this post in threaded view
|

Re: [CCCure CISSP] Question relating to TCSEC

Adam Kuczewski
Hi Aditya,

I would say the first level that required covert timing channels protection is B3 and above (A1) .
Answer to the second question: B2 and above (B3, A1).

The lowest level is D, the highest is A1.

Guys, correct me if I am wrong.


Adam

On Wed, Jan 9, 2013 at 10:41 AM, aditya <[hidden email]> wrote:
Hello All,

Q) I wanted to know that which security level is the first to require a system to protect against covert timing channels?

Ans- Since covert channel analysis is implemented in the B2 level only, so the first becomes B3 since B3 would require to meet all requirements of B2? Then cant it be A1 since A1 would need to 
meet all requirements of B3?


Q) On the same lines, which security level would be the first to require the system to support separate operator and system administrator roles?

Ans- According to the AIO book which I am following,  B2 starts the protection for separate operator and system administrator roles. So wont B3 and similarly A1 inherit this requirement so the first level would become A1 again??

I am really confused, please help
--
Regards
Aditya Balapure


_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org



_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
Reply | Threaded
Open this post in threaded view
|

Re: [CCCure CISSP] Question relating to TCSEC

clementdupuis
Administrator
In reply to this post by aditya
Good day to all,

The keywords within this question are:  THE FIRST

The rating goes as follow: D, C1, C2, B1, B2, B3, A1

D is a product that has minimalistic security features.   C1 Has some very basic requirements.   Has you move UP in the levels there are more and more requirements.

So to make a long story short,  covert channels are FIRST introduced at B2 and from that point they would be required, which means they are required at B3 and A1 as well.

Please see my one page resume of the TCSEC in attachment showing what is introduce at what level.  I have also included the one page mode of operations as well.

Best regards

Clement


On Wed, Jan 9, 2013 at 4:41 AM, aditya <[hidden email]> wrote:
Hello All,

Q) I wanted to know that which security level is the first to require a system to protect against covert timing channels?

Ans- Since covert channel analysis is implemented in the B2 level only, so the first becomes B3 since B3 would require to meet all requirements of B2? Then cant it be A1 since A1 would need to 
meet all requirements of B3?


Q) On the same lines, which security level would be the first to require the system to support separate operator and system administrator roles?

Ans- According to the AIO book which I am following,  B2 starts the protection for separate operator and system administrator roles. So wont B3 and similarly A1 inherit this requirement so the first level would become A1 again??

I am really confused, please help
--
Regards
Aditya Balapure


_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org



_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org

Modes of Operations.png.pdf (69K) Download Attachment
TCB.doc (75K) Download Attachment
Clement Dupuis, CD
CCCure Founder and Owner
CLO @ SecureNinja.Com