[luau] If someone ask you about Linux...

Taylor Cody L. Contractor 502 AOS/PETS Cody.Taylor at hickam.af.mil
Mon Jun 30 10:01:01 PDT 2003


Whenever, whatever, whoever,
You posted about the NIAP and the NIST before.  I had typed up a reply but I
didn't get around to posting it.  I was going to tell you last time that the
DoD doesn't go to the NIAP to decide what is COE compliant.  The NIAP and
the NIST are not DoD agencies.  The NSA is a DoD agency.  If you have
noticed the NSA has their own security enhanced version of Linux.  I have
some more info about the NIAP if you want it.  The military goes to the CIO
"Chief Information Officers" Council to get a list of authorized products.  

I can tell you the use of Linux and other open source software is approved
by the DOD and has been used for years.  I have worked on many networks that
use Red Hat, Apache, Samba, Snort and other open source products.  I have
one close friend who is currently an admin on a military Linux network, and
another who uses Red Hat and SNORT every day to perform security duties.  He
is filling a security admin job.  His shop is a network security shop.  They
are very picky about regulations and they would not be using open source
software if it was not authorized.  There are many networks on this Island
that I have worked on that are very concerned with security and they have
been and are currently using open source products.  If you want to use M$ or
open source software you always have to follow Common Operating Environment
guidelines.  The same goes for hardware.  I happen to have instructions on
this workstation for making a Red Hat 7.2 machine COE compliant.  This means
Red Hat Linux is authorized on DOD networks if you comply with the
guidelines.  There is a standard kernel that is mandatory.  The use of a
standard kernel is to provide a common base environment or a foundation for
the open source architecture.  We have to follow guidelines when it comes to
what M$ updates we can load.  We are not authorized to load every piece of
software M$ puts out.  We wouldn't want a few hundred thousand users to
loose their network connection because we loaded a new M$ security update.
Mass chaos because of M$ updates has become a not so uncommon occurrence.  

One last thing.  I know the DoD has some confidence in the security of
Linux.  While I was in the Air Force one of my squadrons received the
outstanding unit award for network security, four years in a row.  I don't
think this would have happened if our Red Hat boxes weren't authorized.  But
ya never know.  I apologize if this turned into a long boring post.
-Cody

-----Original Message-----
From: whenever [mailto:whatever at whoever.net]
Sent: Monday, June 30, 2003 5:16 AM
To: luau at videl.ics.hawaii.edu
Subject: Re: [luau] If someone ask you about Linux...


Don't believe everything you read from any news agency.
Look at DoDD 8500.1, it supersedes DoD 5200.28-STD(Orange Book), read the 
whole thing and read section 4.17 more then once.
http://www.dtic.mil/whs/directives/corres/pdf/d85001_102402/d85001p.pdf

then go to http://niap.nist.gov
can you find Linux there at all? Look under Validated Products or Products
in 
Evaluation.  If your answer is 'NO", then it's not happening yet.  Don't be 
surpised when you see w2k there with EAL4 (C2 in OB).

On Monday 30 June 2003 04:27 am, ronal wrote:
> If someone ask you what is happening with Open Source and Linux? Ask the
> DoD...
>
> http://www.forbes.com/2003/06/20/cz_eb_0620linux.html

_______________________________________________
LUAU mailing list
LUAU at videl.ics.hawaii.edu
http://videl.ics.hawaii.edu/mailman/listinfo/luau



More information about the LUAU mailing list