LWN: Comments on "Red Hat gains security certification (News.com)"

Blah, you've got to hold your mouth right to be compliant...

apollock — Sat, 08 May 2004 10:00:30 +0000

Heh, so I download the certification report. The first page says it all:

Version 3 with security update RHSA-2003:416 running on specified Dell and Hewlett-Packard platforms.

Oooh. The hardware it's running on makes it secure or not. Sheesh. I have to fork out the bucks for the hardware as well as the distro run an EAL2 Linux distro. (RHSA-2003:416 is CAN-2003-0985 btw). Now on to the meat of the document...

Hmm, Oracle sponsored the evaluation. Interesting...

Ah, the TOE scope. Now we're cooking.

The TOE provides for a level of protection appropriate for an assumed non-hostile and well managed user community. It provides against threats of inadvertant or casual attempts to break system security.

Better not hook it up to the Internet then...

The TOE was evaluated in standalone mode. Most of its network facilities (.e.g. DNS, NFS, NIS and Xwindows) were excluded from the evaluated configuration, the Security Target did include Security Functions relating to remote login.

How convenient. What I'd like to see is netfilter get accredited as an EAL something firewall. Checkpoint might sit up and take notice then.

Now the killer:

The following features of Red Hat Enterprise Linux were specifically excluded from the evaluation:

Apache Web Server
Kerberos
Crypto IP Encapsulation
Nmap
LILO
NFS
DNS
DHCP

And there's a little footnote that I can't seem to connect with the body of the document saying that not all the functions for software development are permitted in the evaluated configuration of the TOE. Fair enough. Shouldn't be doing development in an accredited environment (i.e. Production), really. But no Apache? Can't run an EAL2 webserver on RHEL. Guess that would mean hooking it up to the nasty Internet anyway...

Red Hat gains security certification (News.com)

apollock — Sat, 08 May 2004 09:31:13 +0000

Remember that at these levels EAL certification mostly means that somebody has checked that the documentation is complete. It does not involve looking at the actual system in any detail, let alone doing so from the point of view of a dedicated attacker.

That's not strictly correct. When a product is evaluated under the Common Criteria, it's done so under specific Terms of Evaluation (TOE). In the case of Windows, I do believe the TOE included not having it plugged into a network (or at least it used to for NT4). I'm yet to read the TOE for Red Hat, but it'll be under a certain configuration, and if you deviate from that one inch, it's no longer certified to EAL2. End of story. And they do take into consideration the software, the source code etc. I remember once, Firewall-1 fell off an Evaluated Products List because they didn't get source code in by a deadline...

Red Hat gains security certification (News.com)

crankysysadmin — Fri, 30 Apr 2004 11:23:54 +0000

Does anyone take these certifications seriously anyway? (with the exception of marketing people and managers who must show something to non-techs who have power over them in order to make them feel good)

Red Hat gains security certification (News.com)

jmshh — Fri, 30 Apr 2004 08:11:50 +0000

EAL certification does not certify security to be at level X, but to be at least there. Also SuSE didn't start at EAL 3, but got EAL 2 first. The level reachable by some system is determined by the minimum of a) its realy security, b) the amount of money someone wants to put into certification, and c) how much customers want/need the certification.

Red Hat gains security certification (News.com)

anselm — Fri, 30 Apr 2004 06:21:27 +0000

Even the Windows EAL4 certification doesn't say much more than that the system may be reasonably secure if nobody on it is misbehaving (and that includes the programmers of third-party applications). If I remember right, the Windows machine in question was one with no networking and no software installed beyond the actual operating system.

Red Hat gains security certification (News.com)

flewellyn — Fri, 30 Apr 2004 04:35:39 +0000

That wouldn't be sufficient; you also have to bury it in concrete two miles down, and surround
the area with full-scale military deterrents, such as a tank battallion, armed guards, and
loudspeakers blaring the complete works of Barry Manilow 24/7. Only then would a Windows
machine be considered fully secure.

Alternatively, you could just pay lots of money to the certifying body.

Red Hat gains security certification (News.com)

Soruk — Thu, 29 Apr 2004 23:04:18 +0000

I can only assume that for Windows to get EAL4 certifcation, they offered a machine with no networking ability and the PSU removed.
:-)

Red Hat gains security certification (News.com)

gavino — Thu, 29 Apr 2004 22:55:31 +0000

Some noteworthy quotes:
"Common Criteria certification is expensive"

"Red Hat still lags... It also trails versions of Unix and Windows that have EAL4 certification." I get the feeling that the more you pay, the higher certification you get. To think that some versions of Windows could be two levels higher than Redhat in a security rating doesn't give me much confidence in the whole Common Criteria thing.

Anyway security is not a destination; it's a way of travelling. It's not a product; it's a procedure.