Problem solve Get help with specific problems with your technologies, process and projects.

Hardened OS rated above C2

I am charged with moving our Web based HR self-service to the Internet. HP has an OS version of HPUX called Virtual Vault that we have been examining. It is supposedly rated B1(+) using orange book ratings. Does any other vendor like Sun, IBM, etc., market a hardened OS for their platforms that is rated above C2?

Yes, there are. Nearly every vendor has their own high-security version of some operating system or other. Other operating systems have add-on packages that provide enhanced security. There are even high-security versions of Linux.

While it is nice to have an operating system that's been through orange-book ratings, keep in mind that there's no such thing as an orange-book rated Web server. The orange-book ratings all assume there is no network attached to the computer. I know I'm being a stickler when I say this, but the minute you put that ethernet cable into the jack, you're no longer B1.

All these systems give what are called "mandatory controls," as opposed to "discretionary controls." Discretionary controls are ones that the users (and sysadmins) can set up the way they want. Mandatory controls are protections that the operating system enforces, ones that can't be changed for love or money.

The government systems use mandatory controls to enforce (for example) rules that state that an unclassified user can create but cannot read a classified document, a classified user cannot create an unclassified document, but can read one. These sort of controls may, or may not, help you set up an HR Web server.

Systems that have mandatory controls are more secure than systems with discretionary controls. They're also harder to set up and more annoying to use. If you set it up with the wrong policy, then you may end up with a mandatorily-enforced insecure system. I don't know anyone who's ever set one up without muttering a stream of choice Anglo-Saxon terms in the process.

Think of it this way -- suppose you hired a guard for your house who made sure that everyone who goes in and out has their bags searched and gets patted down, no exceptions. It would make you far safer, but you're also going to get irritated when you get patted down before and after stepping out in your bathrobe and slippers just to get the Sunday paper. It may be worth it, it may not. I can't make that decision, only you can. An HR Web server that has access to sensitive employee data sounds to me like a fine candidate for an ultra-secure server. The HP system is a good one. If you already use HP-UX, it may do you good. If you're open to other options, look around.

This was last published in October 2001

Dig Deeper on Information security policies, procedures and guidelines

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.