Domain: niap-ccevs.org
Stories and comments across the archive that link to niap-ccevs.org.
Comments · 25
-
They already did, and it made things worse
This is old info, but NSA used to have a big internal division - the important stuff was at Fort Meade, and the less important stuff was at "FANX", the "Friendship Annex" (out near Friendship Airport, now called Baltimore Washington International). Support functions like personnel were at FANX, and still are.
Computer security was at FANX. Which was a problem. Being banished to FANX was bad for your career. The top NSA people didn't go to the computer security side of the house. So computer security languished for years.
All this was back when the USSR was the enemy, and NSA has changed a lot since then. But they still have Fort Meade and FANX, and less important stuff is still at FANX.
For a while, in the 1980s and 1990s, NSA did do serious computer security evaluations. Industry hated it, because products could fail. The original policy was that a company could submit products for evaluation by NSA. In the first round of evaluation, the NSA people told the company what was wrong, and gave them a chance to fix it. The second round was pass/fail; if NSA could break into it, it failed. There was no third round. Some highly secure systems did pass the tests, but they were not mainstream systems.
The process is now more "industry friendly". Evaluations are made by outside labs, paid by the companies being evaluated. Companies can keep trying over and over until they pass. Failures are not publicized. There are versions of Windows that have passed some level of Common Criteria testing.
The "geeks and spies" division in the article is bogus. NSA is all geeks. (Mostly the middle-aged federal employee version thereof.) It's buildings full of people working at desks. There are no "NSA agents". The spies and the guys with guns are at CIA, FBI, DIA, and in the intelligence units of the armed services.
-
Re:Switch distros?
Neither Gentoo nor Ubuntu is on the certified products list....and therefore DoD won't/can't use it. Welcome to the Government, the land of red tape. http://www.niap-ccevs.org/cc-scheme/vpl/
-
Re:Geez. No excuse. EABOD.
Trickier than you think. The problem is that a lot of the drive erasing software people are mentioning in this thread isn't NIAP approved, which means that the Common Criteria Testing Laboratory hasn't analyzed the product, run it a bunch of times, and verified by hand that it does what it says it does. You, I, and some subset of Slashdot's readers might be inclined to check out the source code for DBAN, read it, test it, and make sure that our porn stashes are irretreivable, but the US government and military don't. They rely on the NIAP list to 'prove' (for some meaning of the word) that a given product does what it's supposed to and meets their standards, and trying to use unapproved software in those particular areas of employment is difficult in the extreme. The US military does have access to a couple of drive purging apps but the trick is actually getting hold of them.
-
Is it really EAL6? Or just SKPP compliant?
Look at the VPL entry for the product:
"Science Application International Corporation (SAIC) determined that the TOE doesnâ(TM)t satisfy any EAL defined in the Common Criteria, but rather fulfills the High Robustness requirements as defined in the U.S. Government Protection Profile for Separation Kernels in Environments Requiring High Robustness, Version 1.03, 29 June 2007. The TOE, when configured as specified in the installation guides and user guides, satisfies all of the security functional requirements stated in the Security Target."
It's unclear what this means. I haven't seen anything like this on any other evaluation.
On the other hand, the certificate indicates EAL 6. There have been press releases that point to both stories.
-
Re:hehehe; this is a marketing joke
Actually, Lynx is the marketing joke. Note that the page you reference doesn't actually say that the "Lynx EAL7" product has achieved the EAL7 rating. And Lynx is conspicuously absent from the official list of validated products.
Not to mention it's currently impossible for an OS to be certified to EAL7 because there's no EAL7 protection profile for operating systems.
-
Re:Let the Testing begin...Ok, here are some real facts about how this works.
Under the Common Criteria (CC), people with financial ties create the product. They (or another sponsor who wants the product evaluated) pay an independent lab (CCTL) to evaluate it. Labs are certified by NIAP, a partnership of NIST and the NSA Information Assurance directorate. (The NSA has two main parts, the other is Signals Intelligence.) The independent lab evaluation is overseen by a Validation team employed by the government, who reviews the process and results of every evaluation, including all vendor evidence, before it is certified. The Validators also oversee the labs for proper execution of the CC. Once it passes all these reviews successfully it is certified.
Certifications are tiered by Evaluation Assurance Levels (EALs), from 1 to 7. Generally, the higher the EAL, the greater confidence there is in the vendor claims. This is NOT the same as being more secure!
The way to use these certified products is to select a product family (say firewalls), and review at a minimum two documents: The Security Target (ST) and Validation Report (VR). The ST is written by the vendor or sponsor, and basically contains the security claims they're making for the product, and how they expect the product to be used. The Validation Report describes how those claims were evaluated, and what notable things the Validation team observed during the evaluation. After reading both of these documents (usually not more than 100 pages - pretty short for 1-2 years of work) you can determine if the product can be used in its certified configuration in your environment.
Check out some interesting operating systems, like Windows XP, Mac OS X, or one of the Linux's.
It's certainly not perfect, but it's better than what we had.
-
Re:Let the Testing begin...Ok, here are some real facts about how this works.
Under the Common Criteria (CC), people with financial ties create the product. They (or another sponsor who wants the product evaluated) pay an independent lab (CCTL) to evaluate it. Labs are certified by NIAP, a partnership of NIST and the NSA Information Assurance directorate. (The NSA has two main parts, the other is Signals Intelligence.) The independent lab evaluation is overseen by a Validation team employed by the government, who reviews the process and results of every evaluation, including all vendor evidence, before it is certified. The Validators also oversee the labs for proper execution of the CC. Once it passes all these reviews successfully it is certified.
Certifications are tiered by Evaluation Assurance Levels (EALs), from 1 to 7. Generally, the higher the EAL, the greater confidence there is in the vendor claims. This is NOT the same as being more secure!
The way to use these certified products is to select a product family (say firewalls), and review at a minimum two documents: The Security Target (ST) and Validation Report (VR). The ST is written by the vendor or sponsor, and basically contains the security claims they're making for the product, and how they expect the product to be used. The Validation Report describes how those claims were evaluated, and what notable things the Validation team observed during the evaluation. After reading both of these documents (usually not more than 100 pages - pretty short for 1-2 years of work) you can determine if the product can be used in its certified configuration in your environment.
Check out some interesting operating systems, like Windows XP, Mac OS X, or one of the Linux's.
It's certainly not perfect, but it's better than what we had.
-
Re:Let the Testing begin...Ok, here are some real facts about how this works.
Under the Common Criteria (CC), people with financial ties create the product. They (or another sponsor who wants the product evaluated) pay an independent lab (CCTL) to evaluate it. Labs are certified by NIAP, a partnership of NIST and the NSA Information Assurance directorate. (The NSA has two main parts, the other is Signals Intelligence.) The independent lab evaluation is overseen by a Validation team employed by the government, who reviews the process and results of every evaluation, including all vendor evidence, before it is certified. The Validators also oversee the labs for proper execution of the CC. Once it passes all these reviews successfully it is certified.
Certifications are tiered by Evaluation Assurance Levels (EALs), from 1 to 7. Generally, the higher the EAL, the greater confidence there is in the vendor claims. This is NOT the same as being more secure!
The way to use these certified products is to select a product family (say firewalls), and review at a minimum two documents: The Security Target (ST) and Validation Report (VR). The ST is written by the vendor or sponsor, and basically contains the security claims they're making for the product, and how they expect the product to be used. The Validation Report describes how those claims were evaluated, and what notable things the Validation team observed during the evaluation. After reading both of these documents (usually not more than 100 pages - pretty short for 1-2 years of work) you can determine if the product can be used in its certified configuration in your environment.
Check out some interesting operating systems, like Windows XP, Mac OS X, or one of the Linux's.
It's certainly not perfect, but it's better than what we had.
-
Re:Let the Testing begin...Ok, here are some real facts about how this works.
Under the Common Criteria (CC), people with financial ties create the product. They (or another sponsor who wants the product evaluated) pay an independent lab (CCTL) to evaluate it. Labs are certified by NIAP, a partnership of NIST and the NSA Information Assurance directorate. (The NSA has two main parts, the other is Signals Intelligence.) The independent lab evaluation is overseen by a Validation team employed by the government, who reviews the process and results of every evaluation, including all vendor evidence, before it is certified. The Validators also oversee the labs for proper execution of the CC. Once it passes all these reviews successfully it is certified.
Certifications are tiered by Evaluation Assurance Levels (EALs), from 1 to 7. Generally, the higher the EAL, the greater confidence there is in the vendor claims. This is NOT the same as being more secure!
The way to use these certified products is to select a product family (say firewalls), and review at a minimum two documents: The Security Target (ST) and Validation Report (VR). The ST is written by the vendor or sponsor, and basically contains the security claims they're making for the product, and how they expect the product to be used. The Validation Report describes how those claims were evaluated, and what notable things the Validation team observed during the evaluation. After reading both of these documents (usually not more than 100 pages - pretty short for 1-2 years of work) you can determine if the product can be used in its certified configuration in your environment.
Check out some interesting operating systems, like Windows XP, Mac OS X, or one of the Linux's.
It's certainly not perfect, but it's better than what we had.
-
Re:Let the Testing begin...Ok, here are some real facts about how this works.
Under the Common Criteria (CC), people with financial ties create the product. They (or another sponsor who wants the product evaluated) pay an independent lab (CCTL) to evaluate it. Labs are certified by NIAP, a partnership of NIST and the NSA Information Assurance directorate. (The NSA has two main parts, the other is Signals Intelligence.) The independent lab evaluation is overseen by a Validation team employed by the government, who reviews the process and results of every evaluation, including all vendor evidence, before it is certified. The Validators also oversee the labs for proper execution of the CC. Once it passes all these reviews successfully it is certified.
Certifications are tiered by Evaluation Assurance Levels (EALs), from 1 to 7. Generally, the higher the EAL, the greater confidence there is in the vendor claims. This is NOT the same as being more secure!
The way to use these certified products is to select a product family (say firewalls), and review at a minimum two documents: The Security Target (ST) and Validation Report (VR). The ST is written by the vendor or sponsor, and basically contains the security claims they're making for the product, and how they expect the product to be used. The Validation Report describes how those claims were evaluated, and what notable things the Validation team observed during the evaluation. After reading both of these documents (usually not more than 100 pages - pretty short for 1-2 years of work) you can determine if the product can be used in its certified configuration in your environment.
Check out some interesting operating systems, like Windows XP, Mac OS X, or one of the Linux's.
It's certainly not perfect, but it's better than what we had.
-
Re:Let the Testing begin...Ok, here are some real facts about how this works.
Under the Common Criteria (CC), people with financial ties create the product. They (or another sponsor who wants the product evaluated) pay an independent lab (CCTL) to evaluate it. Labs are certified by NIAP, a partnership of NIST and the NSA Information Assurance directorate. (The NSA has two main parts, the other is Signals Intelligence.) The independent lab evaluation is overseen by a Validation team employed by the government, who reviews the process and results of every evaluation, including all vendor evidence, before it is certified. The Validators also oversee the labs for proper execution of the CC. Once it passes all these reviews successfully it is certified.
Certifications are tiered by Evaluation Assurance Levels (EALs), from 1 to 7. Generally, the higher the EAL, the greater confidence there is in the vendor claims. This is NOT the same as being more secure!
The way to use these certified products is to select a product family (say firewalls), and review at a minimum two documents: The Security Target (ST) and Validation Report (VR). The ST is written by the vendor or sponsor, and basically contains the security claims they're making for the product, and how they expect the product to be used. The Validation Report describes how those claims were evaluated, and what notable things the Validation team observed during the evaluation. After reading both of these documents (usually not more than 100 pages - pretty short for 1-2 years of work) you can determine if the product can be used in its certified configuration in your environment.
Check out some interesting operating systems, like Windows XP, Mac OS X, or one of the Linux's.
It's certainly not perfect, but it's better than what we had.
-
Re:Let the Testing begin...Ok, here are some real facts about how this works.
Under the Common Criteria (CC), people with financial ties create the product. They (or another sponsor who wants the product evaluated) pay an independent lab (CCTL) to evaluate it. Labs are certified by NIAP, a partnership of NIST and the NSA Information Assurance directorate. (The NSA has two main parts, the other is Signals Intelligence.) The independent lab evaluation is overseen by a Validation team employed by the government, who reviews the process and results of every evaluation, including all vendor evidence, before it is certified. The Validators also oversee the labs for proper execution of the CC. Once it passes all these reviews successfully it is certified.
Certifications are tiered by Evaluation Assurance Levels (EALs), from 1 to 7. Generally, the higher the EAL, the greater confidence there is in the vendor claims. This is NOT the same as being more secure!
The way to use these certified products is to select a product family (say firewalls), and review at a minimum two documents: The Security Target (ST) and Validation Report (VR). The ST is written by the vendor or sponsor, and basically contains the security claims they're making for the product, and how they expect the product to be used. The Validation Report describes how those claims were evaluated, and what notable things the Validation team observed during the evaluation. After reading both of these documents (usually not more than 100 pages - pretty short for 1-2 years of work) you can determine if the product can be used in its certified configuration in your environment.
Check out some interesting operating systems, like Windows XP, Mac OS X, or one of the Linux's.
It's certainly not perfect, but it's better than what we had.
-
Re:Article misleads about EAL6
From what I read, the EAL rating system is just the assurance level of the protection profile.
The O/S was awarded a protection profile of "High Robustness" at EAL-6+ (the + just means they went a little above and beyond EAL-6), which seems to indeed be the highest security rating awarded.
On their website if you sort by "Conformance Claim" for validated products it seems to hold this up. Then again, it may just be sorting in alphabetical order. :) -
And...
...what exactly does EAL mean again? Does anyone really know? Should we care? http://www.niap-ccevs.org/ gives no assurance of all in my mind that EAL is more than a very expensive marketing proposition.
-
The Protection Profile and Validation Report
The Protection Profile and Validation Report can be downloaded at http://www.niap-ccevs.org/cc-scheme/pp/id/pp_skpp_hr_v1.03.
The Security Target and Validation Report can be downloaded at http://www.niap-ccevs.org/cc-scheme/st/vid10119/.
-
The Protection Profile and Validation Report
The Protection Profile and Validation Report can be downloaded at http://www.niap-ccevs.org/cc-scheme/pp/id/pp_skpp_hr_v1.03.
The Security Target and Validation Report can be downloaded at http://www.niap-ccevs.org/cc-scheme/st/vid10119/.
-
Re:OpenBSD???While openBSD may be more secure, remember the Army is about procedures. Leopard has been certified as Unix like AIX and Solaris If that were the case, you'd think that Common Criteria evaluations done by the gov't themselves would be more important than whether something is certified Unix, which is largely irrelevant when it comes to security. Several Linux distributions have EAL4+ certifications while both Leopard and openBSD do not (not that it *really* means they are any less secure). So if procedure was really that big of a deal you'd think they'd go with Linux or at the very least Panther which is EAL certified.
-
Missing the point
Virtualization layers, and their cousins Separation Kernels are the darlings of the security crowd because they can be written in a relatively small number of SLOCs, which means there is a possibility to formally analyze them. Where Formal Analysis means proofs written in a well established mathematical notation, and machine checked. Green Hills Software has a separation kernel that should shortly be certified to a very high level (EAL 6 Augmented) CCEVS
-
Re:Formal operating systems evaluations?
Really, I was just being snarky: if you or I test drive a few different operating systems with our (or our organization's) needs in mind and we call it formal, we get laughed at. If this guy does so, he gets to not only call it formal, but also delineate the temporal boundaries of the formal period of his evaluation. It's meaningless. He took a test drive. Call it that.
In a world where I was potentially being serious, I might have responded to your arguments thusly:
since you accuse me of question-begging, i will answer the question you allege i begged, namely to outline the varyingly "formal" evaluation pathways. The currently accepted norm is that two markets for software products require evaluation: safety-critical and security-critical. Some few systems have requirements for both, but rarely is this acknowledged. The reason for this is the evaluation standards for each community are quite burdensome, but have relatively little overlap, even though one might think they would.
In the US especially, the safety critical community is divided further, into avionics and medical; evaluations are overseen/conducted by the FAA and FDA respectively. The two primary standards the FAA evaluate under are DO-178B and ARINC-653. Each has several levels of scrutiny depending on the potential consequences of failure of the software at hand. None of them are formal in the sense that properties about the code are proven mathematically. They are instead formal in that a list of functional requirements is provided, as is a traceability matrix that links the specification to the code that implements it and vice versa. Typically the higher levels of evaluation mandate things like an absence of extraneous code resident on the system. Current safety evaluations are not modular, and have to be fully reiterated even on the smallest change to the software. If you were to buy an OS that has been in a product that has been evaluated, you would also want to buy their evaluation evidence or else you'd have to reproduce it.
Security critical software is evaluated, in the countries that are signatories to the Common Criteria Treaty (forget its actual name), under the common criteria. Again, it has a variety of levels of intensity of evaluation, but more tricky is the fact that there is another variable: the anticipated use and threat environment, known as a protection profile. The Common Criteria website explains it far better than I'm capable of: http://www.commoncriteriaportal.org/
This site includes a list of operating systems that have gone through evaluation. Most of them are evaluated to levels 3-4 on a scale of 7, which seems fairly good until you examine their protection profiles. Most of those assume no malicious users, and a variety of other restrictions that preclude consideration of threats common in most deployment scenarios. The reason for this is that vendors want to garner marketing cachet by being able to claim a high evaluated assurance (EAL) level, assuming the multidimensional system will confuse prospective buyers. This happens on both sides of the MS/everyone else isle.
There is also a page on that site for products that have gone through evaluation, and in the US flavored site there is a list of products under evaluation: http://www.niap-ccevs.org/cc-scheme/in_evaluation. cfm.
So, the evidence from an evaluation is indeed closely held by the companies that have products evaluated, but the idea in having a "neutral" third party evaluate under a more broadly common set of criteria was to shift away from groups closely holding net results, while allowing those results to still be meaningful, especially for comparing different companies' products. You see, there is no competitive advantage in being evaluated and not telling anyone your score. -
Re:For people who don't grok EAL4 and ALC_FLR.3
Actually, Here is the RHEL5 cert (both your links are the same).
-
Qualification was without GUI
This is very good, but it should be mentioned that the qualified / tested configuration does not include a GUI. (See page sixteen of the validation report (PDF):
While the TOE distribution media includes a Graphical User Interface (GUI), it is not installed by default, is not part of the Evaluated Configuration and was not evaluated
This is fine for servers, but may be an obstacle if you want to use it as a desktop. For comparison, Trusted Solaris' validation does include the GUI.
-
Re:For people who don't grok EAL4 and ALC_FLR.3
the EAL4 + Augmented with ALC_FLR.3 rating, which BTW, both Windows XP SP 2 and Windows 2003 Server SP 1 also have, is only equivalent to C2, which is the same rating that NT 4 received.
Here is the Windows cert. Here is the Redhat one. Notice that under PP identifiers Windows has CAPP, while Redhat has CAPP, LSPP and RBACPP. -
Re:For people who don't grok EAL4 and ALC_FLR.3
the EAL4 + Augmented with ALC_FLR.3 rating, which BTW, both Windows XP SP 2 and Windows 2003 Server SP 1 also have, is only equivalent to C2, which is the same rating that NT 4 received.
Here is the Windows cert. Here is the Redhat one. Notice that under PP identifiers Windows has CAPP, while Redhat has CAPP, LSPP and RBACPP. -
Re:XP SP2 and Windows Server 2003 has the same rat
Microsoft is only certified CAPP/eal4+. That is not LSPP/RBAC which is much harder and more secure.
-
Re:CentOS too?
And it should soon (Jun 21) also be certified to the same level on HP hardware. See entry 10165 here: http://www.niap-ccevs.org/cc-scheme/in_evaluation
. cfm