IBM and SUSE get EAL3+ certification

IBM AND SUSE LINUX ACHIEVE A HIGHER LEVEL OF LINUX SECURITY CERTIFICATION
ACROSS ALL IBM eSERVER SYSTEMS

First Linux Operating System to Earn Evaluation Assurance Level EAL3+
Certification

Companies Also Reach Common Operating Environment (COE) Standard Necessary
for Command and Control Operations

	NEW YORK, NY, January 21, 2004 -- IBM and Novell's SUSE LINUX business unit
today announced they had achieved new levels of security and operations
certification for SUSE that will further enable the adoption of Linux by
governments, as well as the Department of Defense for critical
command-and-control operations.

SUSE LINUX Enterprise Server 8 with Service Pack 3 on IBM eServers has
achieved Controlled Access Protection Profile compliance under The Common
Criteria for Information Security Evaluation (CC), commonly referred to as
CAPP/EAL3+.

This represents a major expansion from last August, when IBM and SUSE
announced they had achieved the first ever security certification for Linux.
At that time, EAL2+ certification was announced for IBM's eServer xSeries
line. Today's CAPP/EAL3+ achievement crosses the IBM eServer product line -
iSeries, xSeries, pSeries and zSeries systems, as well as AMD Opteron-based
systems.

CAPP/EAL3+ certification of Linux expands both the functional capabilities
and confidence in Linux security beyond that met with the EAL2+. This was
achieved through the addition of an auditing subsystem in SUSE LINUX
Enterprise Server 8 that provides auditing of security critical events. In
addition, the CAPP/EAL3+ certification required more exhaustive testing and
review.

IBM and SUSE LINUX also announced Common Operating Environment (COE)
compliance on IBM xSeries and zSeries platforms with SUSE LINUX Enterprise
Server 8, with support for pSeries and iSeries available in the first half of
2004. This achievement means that SUSE LINUX is the first Linux distributor
to offer both Common Criteria and COE compliance in the same package,
creating the opportunity to run operational applications in a secure
environment. COE, a specification created by the US Department of Defense
(DoD), addresses functionality and interoperability requirements for
commercially acquired IT products within its command-and-control systems.

"Certification under Common Criteria is a requirement for security related
products in our environment," said William Wolf, U.S. Navy, Space & Naval
Warfare Systems Center, San Diego. "We are encouraged by EAL 3 certification
for Linux, as new doors will open to build flexible, cost effective solutions
for our end users."

"Today's announcement with SUSE LINUX is another key development fueling the
rapid rise of Linux in the government sector," said James Stallings, general
manager of Linux for IBM. "The Common Criteria certification across our
server line further validates the security and quality of open source
software. Additionally, the achievement of the operating environment standard
necessary for critical command and control operations signifies that Linux
can now be considered on equal footing with other operating systems."

The evaluation was completed by atsec information security GmbH, one of the
world's leading vendor-independent IT security consulting companies, and
accredited in Germany by the Federal Office for Information Security (BSI).

"Securing the EAL3+ certification is another clear testament to the strength
of SUSE's processes," said Roman Drahtmueller, head of security, SUSE LINUX.
"Thanks to the close collaboration between SUSE, IBM and atsec, as well as
atsec's broad experience in security evaluation, customers now can benefit
from security assurances across all IBM platforms that are unique in the
Linux market."

The Common Criteria (CC) is an internationally recognized ISO standard
(ISO/IEC 15408) used by the Federal government and other organizations to
assess security and assurance of technology products. The CC provides a
standardized way of expressing security requirements and defines the
respective set of rigorous criteria by which the product will be evaluated.
It is widely recognized among IT professionals, government agencies, and
customers as a seal of approval for mission-critical software.

Under Common Criteria, products are evaluated against strict standards for
various features, such as the development environment, security
functionality, the handling of security vulnerabilities, security related
documentation and product testing. In certifying SUSE LINUX Enterprise Server
8 across IBM eServer systems, atsec information security GmbH evaluated how
SUSE LINUX develops, tests and maintains its products, as well as assessing
the processes in place at the company for handling security issues in its
software.

"BSI considers the increasing number of IT security certificates for IT
products as a significant progress in advancing IT security on a broad
scale," said Udo Helmbrecht, President of the German Federal Office for
Information Security (BSI). "At the same time, certification has a positive
effect on the quality of IT products. The certification of SUSE LINUX
Enterprise Server 8 also demonstrates that the Common Criteria can definitly
be used as basis for IT security certification of open source products."

IBM's commitment to accelerate the development and certification of Linux as
a secure, industrial strength operating system is further demonstrated by the
joint IBM/SUSE LINUX plan to pursue a higher level of security certification
for SUSE Linux - CAPP/EAL4+ - across the IBM eServer product line later this
year.

In addition to Linux, IBM plans to obtain Common Criteria certification of
z/VM, its premier virtualization technology, in 2004. It is anticipated that
z/VM will be certified to conform to the requirements of the Labeled Security
Protection Profile (LSPP) and the Controlled Access Protection Profile
(CAPP), both at EAL3+. z/VM helps enable mainframe customers to run tens to
even hundreds of instances of the Linux operating system on a single IBM
zSeries server. And in a future release of z/OS, IBM intends to certify z/OS
to the CAPP/EAL3 and the LSPP/EAL3+ levels.

IBM's suite of middleware products are also in line for Common Criteria
certification on Linux.  Common Criteria certifications have been awarded to
IBM Directory Server and Tivoli Access Manager. Many other IBM Software
products are now in evaluation for Common Criteria certification. Additional
IBM Software products are being prepared to enter the evaluation process.
For more information about our current certifications, visit
http://www-3.ibm.com/security/standards/st_evaluations.shtml

About IBM
IBM is the world's largest information technology company, with 80 years of
leadership in helping businesses innovate. Drawing on resources from across
IBM and key IBM Business Partners, IBM offers a wide range of services,
solutions and technologies that enable customers,  large and small, to take
full advantage of the new era of e-business. For more information about IBM
and Linux, visit www.ibm.com/linux.

About Novell
Novell, Inc. (Nasdaq: NOVL) is a leading provider of information solutions
that deliver secure identity management (Novell Nsure), Web application
development (Novell exteNd) and cross-platform networking services (Novell
Nterprise), all supported by strategic consulting and professional services
(Novell Ngage). Active in the open source community with its Ximian and SUSE
LINUX brands, Novell provides a full range of Linux products and services for
the enterprise, from the desktop to the server. Novell's vision of one Net --
a world without information boundaries -- helps customers realize the value
of their information securely and economically. For more information, call
Novell's Customer Response Center at (888) 321-4CRC (4272) or visit
http://www.novell.com.
Press should visit http://www.novell.com/pressroom.

Further information on SUSE LINUX Enterprise Server 8 can be found at
www.suse.com/sles/.

Media contacts:

Martina Krahmer
SUSE LINUX
Corporate Communications
phone: +49-911-74053-507
martina.krahmer@suse.com

Mike Darcy
IBM Worldwide Communications
Corporate Linux
phone: 914.766.4777 (t/l 826)
mdarcy@us.ibm.com