Red Hat gains security certification (News.com)
Version 3 of Red Hat Enterprise Linux has been certified to meet Evaluation Assurance Level 2 (EAL2) of the Common Criteria certification, Red Hat said Thursday. The internationally recognized Common Criteria certification is a typical requirement for government customers. However, Red Hat still lags its main rival, Novell, whose SuSE Linux has been certified to the more stringent EAL3. It also trails versions of Unix and Windows that have EAL4 certification."
Posted Apr 29, 2004 22:55 UTC (Thu)
by gavino (guest, #16214)
[Link] (1 responses)
"Red Hat still lags... It also trails versions of Unix and Windows that have EAL4 certification." I get the feeling that the more you pay, the higher certification you get. To think that some versions of Windows could be two levels higher than Redhat in a security rating doesn't give me much confidence in the whole Common Criteria thing. Anyway security is not a destination; it's a way of travelling. It's not a product; it's a procedure.
Posted Apr 30, 2004 8:11 UTC (Fri)
by jmshh (guest, #8257)
[Link]
EAL certification does not certify security to be at level X,
but to be at least there. Also SuSE didn't start at EAL 3, but got
EAL 2 first. The level reachable by some system is determined by the
minimum of a) its realy security, b) the amount of money someone wants to
put into certification, and c) how much customers want/need the
certification.
Posted Apr 29, 2004 23:04 UTC (Thu)
by Soruk (guest, #2722)
[Link] (4 responses)
Posted Apr 30, 2004 4:35 UTC (Fri)
by flewellyn (subscriber, #5047)
[Link]
Alternatively, you could just pay lots of money to the certifying body.
Posted Apr 30, 2004 6:21 UTC (Fri)
by anselm (subscriber, #2796)
[Link] (2 responses)
Even the Windows EAL4
certification doesn't say much more than that the system may be
reasonably secure if nobody on it is misbehaving (and that includes
the programmers of third-party applications). If I remember right,
the Windows machine in question was one with no networking and no
software installed beyond the actual operating system.
Posted Apr 30, 2004 11:23 UTC (Fri)
by crankysysadmin (guest, #19449)
[Link]
Posted May 8, 2004 9:31 UTC (Sat)
by apollock (guest, #14629)
[Link]
Remember that at these levels EAL certification mostly means that somebody has checked that the documentation is complete. It does not involve looking at the actual system in any detail, let alone doing so from the point of view of a dedicated attacker.
That's not strictly correct. When a product is evaluated under the Common Criteria, it's done so under specific Terms of Evaluation (TOE). In the case of Windows, I do believe the TOE included not having it plugged into a network (or at least it used to for NT4). I'm yet to read the TOE for Red Hat, but it'll be under a certain configuration, and if you deviate from that one inch, it's no longer certified to EAL2. End of story. And they do take into consideration the software, the source code etc. I remember once, Firewall-1 fell off an Evaluated Products List because they didn't get source code in by a deadline...
Posted May 8, 2004 10:00 UTC (Sat)
by apollock (guest, #14629)
[Link]
Heh, so I download the certification report. The first page says it all:
Some noteworthy quotes:Red Hat gains security certification (News.com)
"Common Criteria certification is expensive"
Red Hat gains security certification (News.com)
I can only assume that for Windows to get EAL4 certifcation, they offered a machine with no networking ability and the PSU removed.Red Hat gains security certification (News.com)
:-)
That wouldn't be sufficient; you also have to bury it in concrete two miles down, and surround Red Hat gains security certification (News.com)
the area with full-scale military deterrents, such as a tank battallion, armed guards, and
loudspeakers blaring the complete works of Barry Manilow 24/7. Only then would a Windows
machine be considered fully secure.
Remember that at these levels EAL certification mostly means that
somebody has checked that the documentation is complete. It does not
involve looking at the actual system in any detail, let alone doing so
from the point of view of a dedicated attacker.
Red Hat gains security certification (News.com)
Does anyone take these certifications seriously anyway? (with the exception of marketing people and managers who must show something to non-techs who have power over them in order to make them feel good)
Red Hat gains security certification (News.com)
Red Hat gains security certification (News.com)
Blah, you've got to hold your mouth right to be compliant...
Version 3 with security update RHSA-2003:416 running on specified Dell and Hewlett-Packard platforms.
Oooh. The hardware it's running on makes it secure or not. Sheesh. I have to fork out the bucks for the hardware as well as the distro run an EAL2 Linux distro. (RHSA-2003:416 is CAN-2003-0985 btw). Now on to the meat of the document...
Hmm, Oracle sponsored the evaluation. Interesting...
Ah, the TOE scope. Now we're cooking.
The TOE provides for a level of protection appropriate for an assumed non-hostile and well managed user community. It provides against threats of inadvertant or casual attempts to break system security.Better not hook it up to the Internet then...
The TOE was evaluated in standalone mode. Most of its network facilities (.e.g. DNS, NFS, NIS and Xwindows) were excluded from the evaluated configuration, the Security Target did include Security Functions relating to remote login.How convenient. What I'd like to see is netfilter get accredited as an EAL something firewall. Checkpoint might sit up and take notice then.
Now the killer:
The following features of Red Hat Enterprise Linux were specifically excluded from the evaluation:And there's a little footnote that I can't seem to connect with the body of the document saying that not all the functions for software development are permitted in the evaluated configuration of the TOE. Fair enough. Shouldn't be doing development in an accredited environment (i.e. Production), really. But no Apache? Can't run an EAL2 webserver on RHEL. Guess that would mean hooking it up to the nasty Internet anyway...
- Apache Web Server
- Kerberos
- Crypto IP Encapsulation
- Nmap
- LILO
- NFS
- DNS
- DHCP