Weekly Edition
Return to the Security pageSponsored link
Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
| |||||||||||
Understanding the Windows EAL4 rating
Microsoft has made a fair amount of noise about the "Common Criteria EAL4"
rating recently awarded to Windows 2000. For those of you who are curious
about what that actually means, this article by Jonathan
Shapiro is well worth reading.
EAL4 means that the design documents were reviewed using
non-challenging criteria. This is sort of like having an accounting
audit where the auditor checks that all of your paperwork is there
and your business practice standards are appropriate, but never
actually checks that any of your numbers are correct. An EAL4
evaluation is not required to examine the software at all.
In other words, this certification does not mean a whole lot. People who are interested in the security of their systems still need to look at the systems themselves and draw their own conclusions; there is no magic rating that will take the brain work out of the process. (Log in to post comments)
Understanding the Windows EAL4 rating Posted Dec 12, 2002 22:25 UTC (Thu) by construx (guest, #7694) [Link] Some interesting commentary on Shapiro's article in the latest RISKS:http://catless.ncl.ac.uk/Risks/22.42.html#subj10 I'm not sure I completely agree with either viewpoint, but the RISKS post sheds some light on the Common Criteria evaluation process. In the end, I think the security of an operating system is and should be judged more on its performance in the real world than in any static evaluation process. Already this month we've had two "critical" and one "important" security bulletins from Microsoft, and it's only the 12th.
|
|||||||||||