In what is being seen as a gentle clip round the ear for the networking encryption standards being proposed by the Clinton administration, Novell Inc has rallied a worldwide contingent of customers, industry partners and security experts to increase the level of network security for commercial and government companies (CI No 2,211). Companies involved in the effort with Novell include AT&T Co, Computer Associates International Inc, Citicorp, Hughes Aircraft Co, Motorola Inc, and some dozen smaller companies specialising in data security. This is an attempt to show that industry can co-operate effectively, said William Ferguson, an executive at Semaphore Communications Corp, a Santa Clara data security company participating in the announcement. The group is setting out to define and deliver an evaluated and trusted computing model for affordable network security that more accurately reflects how customers implement systems and networks today. The security model is also intended to expand the scope of systems that can be submitted for C2/E2 security evaluation. Previous submissions for security evaluation involved only single component and stand-alone system configurations. The team will use the National Computer Security Center C2 and European Commercial Licensed Evaluation Facilities E2 evaluation processes to evaluate and validate the model, which will be in the form of an open umbrella that enables Novell and other vendors to provide products for evaluation. The C2 security specification covers identification and authentication, normally handled by a log-in and password routine; discretionary access control – assignment of object access privileges based on authenticated users’ access rights profiles; audit, describing how the operating system audits all or key security-related events between subjects and objects; and object re-use, whereby the operating system ensures that all user-assignable object space, such as main memory and disk space is wiped of all data prior to its assignment to another user, rather than simply having the first letter of the file names wiped off, so that Mr Norton can bring along his simple but ingenious tricks and restore all the files to their pre-delete state. Novell has submitted NetWare 4.0 to the National Computer Security Center as the network operating system for evaluation using the existing C2 security criteria. NetWare 4.0 provides all four C2 security functions and supports a distinct level of assurance, Novell claims. Since for a true trusted network, the NetWare server and each component of the network has to be trusted, the NetWare security model seeks to expand the scope of systems that can be evaluated by providing an open architecture so that Novell and other vendors can participate. As a first step, Novell has included Cordant Inc’s Assure product with NetWare 4.0 in its initial proposal to the Security Center. The Assure product provides the required C2 security functions for MS-DOS and Windows clients and is tightly integrated with NetWare at the workstation to provide a seamless fit with NetWare’s security model to create a true trusted network consisting of servers and workstations on an Ethernet or Token Ring network. Although Novell is using the Cordant product for its initial evaluation, it intends to provide an open security application programming interface set that will enable other third-party developers to evaluate their products against the NetWare 4.0 C2/E2 baseline.

Forming advisory, security groups

The company is also forming two groups comprising customers, partners, developers and industry experts – the Industry Advisory Group and a security Special Interest Group to help it in its effort, and will also work with other industry groups such as standards bodies, end user groups and evaluation facilities as the NetWare model is developed. Novell claims that its NetWare, UnixWare and Unix System V releases all provide a high level of base security with options for C2 through B1 and B2 functionality and promises that as the new security model is defined, al

l three will be integrated to provide users with a trusted network computing environment including these products.