From: Chris McDonald STEWS-IM-CM-S (1/26/93) To: orvis%llnl.gov@wsmr-simtel20.ar, Mail*Link¨ SMTP Product Test 15 ****************************************************************************** PT-15 December 1990 ****************************************************************************** 1. Product Description: PROTEC is a software package which operates on an IBM PC, PC\XT, PC\AT, or 100% BIOS compatible microcomputer with at least 128KB of random access memory running MS-DOS or PC-DOS 2.0 or greater. The package adds Identification and Authentication (I&A), Discretionary Access Control (DAC), and Audit features to the DOS operating system. As of October 1990, the PROTEC vendor had not submitted the product for subsystem evaluation under the Department of Defense Trusted Computer System Evaluation Criteria. 2. Product Acquisition: PROTEC is available from Sophco, Inc., P.O. Box 7430, Boulder, CO 80306. The package is on the DESKTOP III contract. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Directorate of Information Management, White Sands Missile Range, NM 88002-5030, DSN 258-7548 or DDN: cmcdonal@wsmr-emh03.army.mil. 4. Product Test: a. I obtained a copy of PROTECT, version 3.2, from an associate at Fort Bliss, TX in October 1989 and registered the copy with Sophco. Registration was to have resulted in the automatic receipt of update notices and, if required, technical support. However, I have received no notifications or any contact from the vendor since registration. Attempts to contact the vendor's technical support staff during the holidays were unsuccessful. b. I tested the product on a Unisys PC, Model 3137, MS-DOS 3.10, 512KB and on a WYSE PC, Model 1100, MS-DOS 3.10, 512KB. c. PROTEC is the fourth software access control package which I have tested over the last year. It offers a complete suite of options for the single user or for multiple users of a MS-DOS personal computer. One may compare its features with SECUREPC (reference PT-2, October 1989) and PC/DACS (PT-16, August 1990). It is definitely a level above those packages which provide only identification and authentication of users along with boot protection (reference PT-14, October 1990, subject: PC-VAULT). d. The key to PROTEC is the establishment of a Data Security Manager. The Manager establishes user accounts, sets security options, determines the privileges of each user, and has exclusive access to audit trail records. While an individual user can be his or her own Data Security Manager, it would seem appropriate to have an independent Manager for a medium to large scale organization (for example, 50 or more PROTEC installations). Only in this way would it seem reasonable to fully utilize the strengths of the product and to systematically analyze audit trail information. e. PROTECT has these major protections at version 3.2: (1) Boot Protection. A user may boot from a floppy disk, but can only access the hard drive if registered with an authorized user logon identification and authentication password. (2) Password Protection. The Data Security Manager has the option to require user authentication passwords, and may establish parameters for password length and expiration. (3) User Segregation. The Data Security Manager has the option to restrict users from accessing specific programs and/or sub-directories. (4) Data Encryption. PROTEC offers an implementation of the Data Encryption Standard (DES) or of Sophco's proprietary algorithm, PhFA II. (5) NOCOPY Anti-Theft Software Protection. The Data Security Manager has the option to install a device driver in the CONFIG.SYS file to specify that a user has execute-only access to a specific sub-directory and to the programs in the sub-directory. (6) Audit Trails. PROTEC has the option to track system usage and security violations, and to write such information to a file available only to the Data Security Manager. f. Installation of PROTEC is completely menu-driven with 100 pages of the Data Security Manager's manual dedicated to installation. g. The identification and authentication of users, to include the Data Security Manager, relies on individual passwords. Although individual users can create their own password, the Manager has the option to set a "Low" and a "High" password length (0-17 characters); and to establish the number of days until password expiration (none to Manager's option). The Manager has the further option to turn on "lockout". With lockout enabled the system will lock-up if an individual enters either a logon ID or a password incorrectly three times in a row. h. One might attempt to bypass the password protection scheme by using a system disk to boot from the system's floppy drive. The Data Security Manager can enable boot protection as an option upon successful installation. I tested boot protection and found that it worked to deny me access to the hard drive. Attempts to view the hard drive with Norton Utilities were unsuccessful. i. Discretionary access control is in the hands of the Data Security Manager. The Manager can establish program and data access privileges for each user by constructing access paths. Version 3.2 defines access rights as essentially an "all or nothing" proposition. If the Manager denies a user access to a program, that denial includes access to the sub-directory in which the program resides as well as to any data files contained in the sub-directory. There is a small section in the Manager's manual which discusses creating user specific data directories and constructing users paths. I installed several users with different "paths" and found that the access protection performed as described in the manual. j. The audit mechanism of PROTEC, version 3.2, is minimal. The Data Security Manager has the discretion to select audit events by users, by applications, and by date. Major events recorded include: (1) Session Statistics: user logons, user logoffs 2 (2) Operational Statistics: program starts, program exits (3) Violation Statistics: bad logon ID attempts, bad password attempts, attempts to bypass access control privileges k. PROTEC offers either a DES implementation or a proprietary algorithm for software encryption. The DES implementation, which can run either from a menu or from the DOS prompt, had this type of performance with a 10 character user-supplied key: Size of File Time to Encrypt/Decrypt 22,885 Bytes 3.50 seconds 78,796 Bytes 5.00 seconds 113,318 Bytes 9.75 seconds I ran the tests three times because I was totally surprised by the speed of the operation. Generally the PROTEC DES implementation was three times faster than three other DES implementations I have tested. I initially thought that I had utilized the proprietary algorithm rather than the DES. But this was not the case. My testing of the other DES implementations had occurred on the same Unisys personal computer, so hardware performance should not have been a factor. I remain puzzled over the startling performance, and have attempted unsuccessfully for three days to contact Sophco technical support to discuss the matter. Should I eventually obtain additional information, I will publish an addendum to this product test report. Under Federal Information Processing Standard (FIPS) 46-1 the National Institute of Standards and Technology (NIST) must approve all implementations of DES in software. Respective DoD agencies have published instructions on this approval process. 5. Product Advantages: a. PROTEC offers selectable protection features for stand-alone personal computers. b. The package appears to function as documented. c. The Data Security Manager has flexibility to choose what features will be enabled for individual users. d. The vendor supplies both a Data Security Manager's Manual and a User's Handbook. e. The vendor provides telephonic support at no additional charge. f. PROTEC UNDER THE DESKTOP III PRICE LIST IS UNBELIEVABLY CHEAP FOR THE OPTIONS. My associate at Fort Bliss bought 10 copies of PROTECT at one time and paid approximately $130.00 per copy. The Desktop III price is under $25.00 per copy. 6. Product Disadvantages: a. Version 3.2 has limited functionality for access control to programs and 3 data. The Data Security Manager has no ability to distinguish between specific operations which might be executed on a program or on data (i.e., read, write, execute, delete, etc.). b. There is user resistance to any type of control on personal computers. It may be difficult, in the absence of written policy which mandates the installation of an access control package, to find an audience for PROTEC. c. The vendor has not submitted PROTEC to formal evaluation by the National Computer Security Center (NCSC). While there are controversies over the issue of evaluating a product against a subset of the requirements given in the Trusted Computer System Evaluation Criteria (TCSEC), and although ratings under the subsystem criteria are not identical to those in the TCSEC or Orange Book, the failure to enter the NCSC evaluation and rating process is surprising because PROTEC has been around since at least 1983. d. The concept of a Data Security Manager for a personal computer demands a management commitment of resources and personnel. Though the vendor supplies a Manager's manual the document contains a large amount of information in over 200 pages. Formal training of Managers and continuity of operations plans to support users who will require assistance in using PROTEC is essential. 7. Comments: PROTEC was one of the first commercial access control packages available for personal computers in the early 1980s. For several years a user had two choices: PROTEC or WATCHDOG from the Fischer International Systems Corporation. Marketplace demand, however, has significantly increased the number of vendors who can supply comparable software products. Several of these vendors, with the notable exception of Sophco, have products on the NCSC subsystem criteria list. Clearly the use of PROTEC must be a function of a realist assessment of one's particular threat operating environment. It would be a mistake to impose the mandatory implementation of an access control package without such an assessment, or to commit an organization to PROTEC simply because of the DESKTOP III price. It should be noted as well that there are other approaches to access control on a personal computer which employ hardware and/or a combination of hardware and software techniques. Various authors have commented on the increased protection in those products which have a hardware foundation (i.e., DES hardware versus software implementation). Since these products are similarly available on the NCSC subsystem criteria list, one would be well-advised to consider these alternatives for the sake of completeness. Finally, no software access control package is 100% secure. I have witnessed the defeat of software-controlled boot protection at a recent Department of Energy training workshop. While the product defeated was one other than PROTEC, the description of the attack methodology appears independent of a specific vendor. The good news is that the methodology requires a sophisticated skill level. [The opinions expressed in this evaluation are those of the author, and should not be taken as representing official Department of Army positions or a commercial endorsement.] 4 ------------------ RFC822 Header Follows ------------------ Received: by internetqm.llnl.gov with SMTP;26 Jan 1993 20:41:53 U Received: from icdc.llnl.gov by icdc.llnl.gov (PMDF #12441) id <01GTZKO6JNPSERWQFO@icdc.llnl.gov>; Tue, 26 Jan 1993 20:41 PST Received: from pierce.llnl.gov by icdc.llnl.gov (PMDF #12441) id <01GTZKNROV7KERWQH1@icdc.llnl.gov>; Tue, 26 Jan 1993 20:41 PST Received: by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA16096; Tue, 26 Jan 93 20:35:50 PST Received: from WSMR-SIMTEL20.ARMY.MIL by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA16078; Tue, 26 Jan 93 20:32:58 PST Received: from wsmr-emh03.army.mil by WSMR-SIMTEL20.ARMY.MIL with TCP; Tue, 26 Jan 1993 21:29:06 -0700 (MST) Resent-date: Tue, 26 Jan 1993 20:41 PST Date: Tue, 26 Jan 93 21:27:50 MST From: Chris McDonald STEWS-IM-CM-S Subject: Product Test 15 Resent-to: BILL_ORVIS@QUICKMAIL.llnl.GOV To: orvis%llnl.gov@wsmr-simtel20.army.MIL Resent-message-id: <01GTZKO6JNPSERWQFO@icdc.llnl.gov> Message-id: <9301270432.AA16078@pierce.llnl.gov> X-Envelope-to: BILL_ORVIS@QUICKMAIL.llnl.gov X-VMS-To: IN%"orvis%llnl.gov@wsmr-simtel20.army.MIL" ======================================================================