On Mon, 21 Oct 2002 Valdis.Kletnieks@vt.edu wrote:
Or stated differently - let's say you're a consultant. Which can you sell to the customer more easily - a firewall, or telling them that somebody needs to explain to the VP that 'viceprez' is a Bad Password?
That may partially explain why people sell it or even why they buy it. On the other hand, if we are supposed to be documenting best practices, why document bad practices just because its easier for vendors or consultants to sell? www.google.com seems to find a lot of repetition of the same firewall lore, with only a limited amount of critical analysis.
Is the Orange Book really dead?
It's dead as far as providing an actual useful spec, as far as I can tell. It had a number of problems - an actual rating was only for *ONE* specific configuration, and changing it (even by upgrading memory or adding disks) would technically invalidate it. The whole RAMP thing to maintain a rating across a software upgrade was a true horrorshow paperwork-wise, and it didn't addresss network connectivity (although to be fair, there were other Rainbow Books that talked about RAMP and network stuff). It's still useful as a framework reference, mostly due to its ubiquity.
As a rating, evaluation, certification regime the rainbow series, common criteria, etc have their issues. As handbooks or textbooks, the rainbow books were useful to a new practioner in the field. My concern is O/S (Orange Book) and application security seems to be almost completely dead in the computer security field. Network security, IDS, firewalls, etc is where most of the action is. But host security is still were the buck starts and stops.