Slashdot Mirror
Justifying the Common Criteria Security Evaluation
lewko writes "Microsoft has just received a Common Criteria certification for Windows 2000 at Evaluation Assurance Level (EAL) 4. Security experts have been saying for years that the the security of the Windows family of products is hopelessly inadequate. Now there is a rigorous government certification confirming this. What does it all mean? This paper suggests that Microsoft spent millions of dollars producing documentation that shows that Windows 2000 meets an inadequate set of requirements, and that you can have reasonably strong confidence that this is the case. Microsoft bashing aside, the process in evaluating a security product is relevant to anyone considering the deployment of technology into their environment." The EROS operating systems he mentions looks interesting - of course, it also looked interesting three years ago.
Well how much of what is secure? It seems to me that MOST of the security bugs one associates with Microsoft are problems with two programs in particular--IIS and Outlook (Express version only).
Bueller?
This kind of certification is a great thing for people running Win2K. But I have to wonder if Microsoft's upgrade cycle will cause those people to lose official support for Win2K unless they upgrade to XP or whatever's next very soon now? A lot of enterprises do a lot of time-consuming testing before they rollout something like Win2K, which is probably the first reasonable OS from MS. It'd be a real shame if all that testing and certification gets thrown out the window because MS doesn't feel its customers are buying upgraded products fast enough.
The Common Criteria security standards deal with the design of operating systems, not the implementation. It has been certified that the security system used in Windows 2000 is "well designed"; but this says nothing about how many bugs there might be in the code.
Tarsnap: Online backups for the truly paranoid
The trouble I find is that I'm able to evaluate the level diligence the IT staff at any given company has taken, I'm able to audit the level of (attempted) compliance to any documented security policy and I'm even able to assess internal security configuration and controls.
Ultimately though, I'm signing off on audit opinions that ALWAYS says and feeling a little sick about it. If we got sued, I could provide documentation proving that I diligently checked security and based on "accepted" business standards the security was implement at a reasonable level. Basically, I could cover my ass.
Is there anyone out there that has an audit program for Win2k that they would feel comfortable using to tell the auditors that they can rely on the numbers? Just curious.
Oh, BTW, the auditors could care less about Common Criteria and even though they're thick as pudding about IT, they're still smart enough o bring in outside people when they need to rely on any computer's numbers.
It was followed by a short lived, but lengthy discussion with regular readers of worldtechtribune (including the editor-in-chief apparently) and some other newsforge readers.
You may or may not find some interesting thoughts, or just more (mis)information.
Before you mod me down, I am a network admin that works with both windows 2000 and linux on a daily basis. I am also a certified MCSA (though we all know what we think of certs :) ). Anyways, my #1 reason why i think windows security SUCKS, is that the damn OS has no real firewall built into it! I mean, come on, with win2k you gotta either buy a hardware firewall (cisco pix, etc), or throw a unix box in front of it. And yes, i know XP does have a basic firewall built in, but do any of you want to run a server on XP ? People always bitch at MS for bundling software into their OS, but there's no excuse to not include reasonable packet filter ability in the OS. Thats why I believe the only time you EVER put a MS box on the net is if its behind a NAT or something else that totally hides the box from outsiders.
Lawyers, MBA's, RIAA? A jedi fears not these things!
Given that Microsoft constantly modifies shared portions of its Operating Systems via Service Packs, Windows Update, and while installing new applications...well, precisely how meaningful is any declaration of the security of a given Microsoft OS? Just tracking WHAT you have on a given Windows box is enough to make most sysadmins break out in hives.
If you have any software configuration that strays more than trivially from the one tested for security than the certification isn't really relevant.
is CAPP/EAL4.
It protects me against threats of inadvertent or casual attempts to breach the system security, like people walking in while I'm, uhh, ya know.
Of course it does nothing when someone disables the lock or tries to kick the door in.
He painted a unicorn in outer space. I'm askin' ya, what's it breathin'?
...that Microsoft is more concerned with protecting its software from the "evil pirates" who made Windows and Linux big, than they are about keeping our critical information secure. Great, they can lock you in jail for 20 years because you gave your friend a copy of Word XP, but they won't lift a finger to keep REAL CRIMINALS from hijacking your identity.
Microsoft more than anything has pissed me off over their threat ads in certain areas. If you haven't heard them, I'd encourage people to find a way to hear them. They are shocking in their brazen "Stop being a criminal or we'll make you our woman and you'll like it." attitude.
Microsoft has been proven to be the sham it is, even by the government. When the US Government, the most incompetant bureacracy in existence says that you suck...man, you have to seriously do some soul-searching...if Gates even has one.
Only in slashdot are posts of solidarity modded at -1 Redundant, while posts of antagonism are modded as -1 Flamebait.
"...[Windows 2000] has no real firewall built into it!"
Where do you draw the line? Microsoft is stuck between a rock and a hard place here. On one hand, if they don't put in a firewall, people will complain that they have to buy additional software or hardware to secure the OS (which is true.) On the other hand, if Microsoft does add a firewall, Norton, Symantec, and 50 other "personal firewall" software makers would scream bloody murder: "Microsoft is leveraging their OS monopoly to put us out of business!"
I'd guess the crappy firewall built into XP is a sort of compromise. On one hand, you don't want millions of unsecured Windows boxes running around on the Internet. So Microsoft surreptitiously adds an incoming-packets-only firewall to XP. Sure, it's a crappy firewall, and it doesn't offer real protection. But it keeps the firewall software makers at bay, and it keeps Microsoft out of the Justice Dept. gray area.
Most sysadmins would buy a hardware firewall or dedicated NAT device with firewall anyway... so at least in corporate settings, that problem is solved. Really, it's going to be tough for Microsoft to add any decent programs to the OS at this point, since they've already been found guilty of illegally bundling Internet Explorer. I'd watch for more stuff to be attached to Office or offered as a free download instead.
Simpli - Your source for San Jose dedicated servers and colocation!
Vendors hated NSA's old rating process. The standards were tough, NSA did the evaluations themselves, and you only got two tries to pass. After the first evaluation, NSA told you what was wrong. If you failed on the second try, that was it - you flunked. Worst case, NSA listed your product as "Class D - This class is reserved for those systems that have been evaluated but that fail to meet the requirements for a higher evaluation class."
Later, the process became much more "vendor friendly". Evaluations are performed by outside contractors, and vendors can submit their software over and over and over again until it passes. Microsoft used this process to push NT 4 through. It took years. The evaluation process is controlled by the vendor, and there are no public reports of failure.
The "common criteria" are rather weak, down near the bottom of the old NSA criteria. And the evaluation process is almost totally under vendor control, although it does have to be performed by an outside contractor acceptable to the Government.
There's better stuff out there. Currently, the most secure OS certified is the Wang XTS-300. This is certified to level B3 of the old Red Book criteria, which is about four notches above the level Windows 2000 just reached. Various FBI and DoD systems use Wang XTS-300, which is on Wang-built Pentium II and III systems. Wang is gone, but the product has been taken over by Getronics, which keeps a low profile.
Read the data sheet for the XTS-300. It's UNIX-like, but very different inside.
Coming soon, the XTS-400, which runs Linux apps.
These secure systems enforce a "mandatory security" model. Data has a security level, an integrity level, and a list of compartments to which it belongs. Movement downward in security level or upward in integrity level is prohibited, as is movement out of a security compartment or into an integrity compartment. This is very restrictive, but it's the only approach known to have any chance of really working.
There is really only one reason why MS went through all the trouble to get Win2k certified at CC-EAL4 (Equivalent to Orange book c2). MS wants the governemnt to upgrade to Win2k. Until now, many government sites would only use NT4.0 SP6a because that was the lates MS OS with the C2 certification. But now that Win2k SP3+ has recieved the, C2 equivalent, EAL4 certification, the government will be free to use Win2k on many of their systems without violating any secirity regulations.
The CC certification does not prove that Win2K is free from security related bugs, nor does it realisticaly prove that Win2k is secure. All it does is prove that Win2k, in certain configurations, adhears to the requirements of a EAL4 rated protection profile.
You're right, but...
There is nothing which *would* constitute a sufficient condition for security. You can't check any particular property, of the product or process, and say "Yup, it's secure." We should all know that by now. In general, the closest we come is to haul out a long list of known mistakes (the absence of which is a necessary but not sufficient condition) and hope not to find them.
It's also helpful to remember that the Common Criteria don't define try to define a reasonable security certification. What they do provide is a list of things which might be interesting and ways of measuring those things. It's up to the "end user" to choose which things are important to them (define a protection profile).
but who the hell are the CommonCriteria folks, and why must I give a shit what they think of whatever OS?
The above is an honest question, if you can't elaborate clearly, please don't even bother to reply.
Thank you.
Welley Corporation - SLM Scammers
In essence, like the author stated, many people are substituting education about security issues with Common Criteria certification. However, if the customer doesn't know what they want, or if they don't understand what Common Criteria does and DOES NOT check, then the customer still has no idea what they are getting. And like the author, I sometimes wonder if Common Criteria certification short cuts the basic security background required to write an RFP and replaces it with a check box for an EAL.
In particular, if you work on or sell a security product and want to sell to government or the European Union, it must be Common Criteria certified. What the certification proves, however, is up to the interpretation of the person implementing the product.
Having helped develop C2 Unix OSes, I can tell you that Linux does not come close. There may be patches for all I know, but for sure stock Linux doesn't cut it. It's not a matter of Linux being buggy or broken; it's just not built to be that secure. I don't recall all of the criteria, but they are quite intrusive and the vast majority of Linux users would find them more than burdensome.
One example that immediately comes to mind is that "ps" listings can't show other users' processes. Many of the C2 requirements are kind of like that.
I know some commercial Unixes are certified to C2 if you have it configured right. What about the Linuxes?
Glad you asked. Some people might look at the fact that Linux doesn't have a XYZ 'certification' as a indication of that it is not secure enough to get it.
In reality, such certifications cost a lot of money and small companies like RedHat simply can't affort it (They don't make enough money of release X.Y during it's market-life, to justify such a operation)
What is interesting about this new Windows 2000 certification is that it's for a system that operates in a "safe" environment (i.e. not on the Internet) and Microsoft specifically asked, and paid, for grading at this level.
Now, you can interpret that as you want, but most of us are probably understanding it as "This is how secure Microsoft thinks Windows 2000 actually is". (Such gradings take a long time (few years) and I doubt that Microsoft will have another go at a higher grading before the EOPL (end-of-product-life) of Windows 2000.
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
I bumped into this several years ago, in the antivirus field. "Get the product certified", said the marketing department. "Some big corporates want to see an official certification" said our sales people.
So I looked into it. At the time, it was called "Itsec", now it's "Common Criteria". It was run, in those days, by the electro-spooks, based in Cheltenham.
When I found what it was, I was absolutely ROFL.
I, the vendor, was expected to state the functionality of the product, what it was supposed to do, security-wise. They call this the TOE, "Target of Evaluation"
They, the evaluators, would check that it met that functionality, and give me a certificate if it did.
So far, so good. But what's the right functionality? In my case, what functionality should an antivirus have (rhetorical question, please don't tell me, except it isn't as simple as you might think).
So, I said to the people who ran the scheme, Suppose I define my functionality as "Comes in a blue box". Could I get an Itsec certification for that? The answer boiled down to "Yes, but that isn't a security issue". "Yes it is," I said.
Um. Who defines what is a security issue and what isn't? I was saying that the lack of a blue box, was a security issue. How do you say it isn't? Anyway, that's my TOE, please certify it. Well, it never got that far, that was just my way of telling them that their scheme was a joke.
So I went to a pal of mine who ran the security department at a university, suggested that he set up a certification scheme, and got the product certified under that instead. That made our marketing people happy, also our sales people. Customers had a certification to pin on the wall, everything was tickety-boo.
Except the government people, who knew they were being made monkeys out of, because I threw that "Comes in a blue box" thing at them at every conference and seminar I went to, and I heard that it started to seriously embarrass them, because people started asking questions about the value of their certifications. There's more in that thread - things did start to change, but the change didn't happen in the end.
Now, I'm not suggesting that the Microsoft certification says "Comes in a blue box." But until you've read the TOE, you don't actually know what security functions have been certified.
In reality, such certifications cost a lot of money and small companies like RedHat simply can't affort it (They don't make enough money of release X.Y during it's market-life, to justify such a operation)
No, Linux would fail evaluation because it does not meet many of the important security requirements. In particular there is no system security guide that describes how to securely configure the O/S in a single place.
Documentation is a large part of the C2 criteria. Linux simply fails that test. You cannot get certification for a third party guide for good reason, the document has not been reviewed by the engineers who wrote the code.
It is interesting to note how the Fox News style bias of slashdot on the security topic gets more hysterical by the month. Could it be because analyst firms like Aberdeen are predicting that Linux will become the poster chid for security, and no they don't think it is more secure.
So Microsoft get a security evaluation, the slashdot response is to publish the story three times to date, each time claiming that it is further proof that Microsoft's products are insecure. At what point do people ask whether the Slashdot editorial style has more to do with the commercial interests of their employer than an interest in honest journalism?
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/