Slashdot Mirror
IBM Clinches Security Certification for Linux
Nimey writes "IBM has gotten Linux certified under the Common Criteria specification. " What this means is that government can consider Linux when making purchasing decisions. Linux got the highest rating possible.
CNN.com has this story too.
Microsoft set out to get Win2K certified and only completed the process last October according to .
Linux now has the upper hand because MS does not yet have XP certified.
I think what this means is that they can pick Linux and have a piece of paper supporting their choice. Got to cover their own backs I guess.
I believe Linux received an EAL 2. Windows 2000, however has received an EAL 4. An EAL 4 involves more security checks and requirements.
The EAL2+ assurance level achieved is NOT the highest rating possible by a long, long shot - it's actually close to the lowest. But, it's a great start.
IBM and SuSE say they're working on a higher level CAPP evaluation, which roughly equates to the old C2 TCSEC criteria.
Kirby
Check out here: http://www.commoncriteria.org/
Yeah it's like the whole 'No-one ever got fired for choosing Oracle' thing.
In this case 'No-one ever got fired for choosing Common Criteria software'.
The important thing to remember here is that a lot of central government positions and even more local government positions are taken by people who could not support their employment in the private sector.
Another interesting point in this article is that statement that the Linux market is expected to grow from $2 billion to more than $5 billion in 2006. That's a very important increase in a short period of time. Definitly something for Microsoft to be worried about.
"Those who cast the votes decide nothing; those who count the votes decide everything." (attrib. Joseph Stalin)
IBM has gotten Linux certified
Correction -- they got SuSE Linux certified. This only applies to SuSE. Incidentally, it cost them $500,000.
Linux got the highest rating possible
No it didn't. FUD. According to this story...
Linux was certified as providing only "low to moderate" security, compared with the same group's certification as "moderate to high" last year of the security of Microsoft's Windows 2000 software. Supporters said Linux software was under testing for better-security ratings.
In fact, I'd suggest people look at the story in the Inquirer linked above -- it gives a little more information as well as some light commentary.
It's still good to see Linux get this certification though. It's another step towards displacing Windows.
Don't anthropomorphize computers, they don't like it.
Linux was certified as providing only "low to moderate" security, compared with the same group's certification as "moderate to high" last year of the security of Microsoft's Windows 2000 software. Supporters said Linux software, whose popular mascot is a penguin, was under testing for better-security ratings.
I would guess that IBM wanted to go for the faster, cheaper rating first and wait to get it certified higher. Common Criteria testing is expensive and time-consuming. It isn't a statement on Linux, it says more about how much got spent this time around.
if you're curious about some of the history of microsoft and the certication of windows for government work, click here, and look elsewhere for the story of ed curry. its been linked to here on slashdot before.
if you want to know more about what the eal4 certification that windows 2000 sp3 currently has, click here.
...vividly encapsulates that post-Watergate/pre-punk/coked-up moment when you could trust no one, least of all yourself.
Even the greediest government agency has to operate within budget, after all. And in the US military, budgets have held mostly constant while obligations associated with things like war-fighting have gone up, so your non-combat line items get shrunk to make up the difference.
Welcome to the Panopticon. Used to be a prison, now it's your home.
I know the agency I work at follows these ridiculous regulations only when they fall in line with what they were planning on purchasing anyway. For example, most of the security products we use are not FIPS 140-1 compliant anyway. Who cares?
This will carry a lot of weight to any argument with a PHB or similar.
J.
You're only jealous cos the little penguins are talking to me.
You can get an overview at networkcomputing.com or at the common citeria web site.
*BSD might as well be dead to the commercial and government enterprises. Until you see the likes of Dell and IBM slapping FreeBSD on their shiny metal systems, your run-of-the-mill IT buyer will still regard the OS as something whose name simply rings a bell or is the answer to an IT-related trivia question.
I work at a gov't site. We have plenty of systems in production and dev environments running Linux, in part because the project managers were able to use the Dell fed contract to get those servers with Linux. So, Linux is recognized by those buyers as a legitimate OS for business use. I can certainly slap SomeBSD on those machines, but whoops, the Oracle vendor said Linux was good, but not this SomeBSD.
When BSD is embraced by top-level vendors, companies will consider it.
So long, michael. Don't let the door hit you...
According to the press release the certification covers the `SuSE Linux Enterprise Server 8 on IBM eServer xSeries', i.e. a specific SuSE product running on a specific family of servers. And nothing else. Read also this bit.
Oh. I just thought another article said it took 2 Million to do the first level of cert, and went up from there. IIRC, it's about 9 million for EAL7 test as it has the NSA certify all the source, compiled binaries, default configuration, and configuability. The hardware is also certified the same way, so that the OS is joined to the exact brand of chip. And EAL7 takes about 1-3 years of rigorus testing.
EAL1 = "Whats a computer?" user tested
EAL2 = "What's this button do?" user tested
EAL3 = "What's this linux thingy?" user
EAL4 = "Script kiddie tested, hacker approved"
EAL5 = "Woah, it has NMAP!" user tested
EAL6 = "Cool! I just transffered 2e6$ to my swiss acct" user tested
EAL7 = "The black hat's are pissed" system secure
Nope, we won't slashdot Yahoo. But we may slashdot their rating system :)
There's that "Rate This Message" on the bottom. Just everyone pick "5" and the news will make to the "highest rated" and possibly to top headlines of Yahoo news.
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
I'm not sure what it means by the "higest rating possible," but I do know that Level 2 security clearance is what you need in order to take orders and be a real DoD contracter. This is the level that I believe Raytheon's ICCC division (the ones that program the missiles) and other companies such as Boeing work on. The divisons themselves have to be certified in order to work on projects, and since about last year the gov't has started to push their contracters to do this, it makes sense that this finally happened.
This doesn't really open the way for other companies to use Linux, I don't think, but perhaps this will get other compeanies to do this as well. More competition can't hurt, right?
"Time is long and life is short, so begin to live while you still can." -EV
If Win2k gets a higher rating than Linux, then why do we have stuff like this [cert.org] happening?
Read the certification assumptions: cooperative users in a benign environment, and network connections only to hosts in the same administrative domain. In short: "Don't use this on the Internet, or the certification is completely meaningless."
Furthermore, certification just guarantees that a certain process is followed, and the process itself doesn't guarantee anything about implementation errors (except for the mitigation process), at least at such low levels as EAL4+.
(AFAIK, it wasn't even the default configuration that was certified.)
well after actually looking at the output of apt-cache dump, I can say with some authority that number is way off. It not only lists packages but dependencies. Let's try it like this: apt-cache dump | grep "^Package: " | wc -l Ah 16701. Thats a much more realistic number. Note: I'm running unstable and I've got a couple of unofficial sources in my sources.list but 16701 is still no where near 100543 or the 147095 I get if I use your command. Also you got to consider that many of the packages are the same with slightly different compile options. With a ports tree, you set those compile options yourself. I will say that there is a difference, I just don't think that it is as large as the the parent poster implies.
Why not fork?
First of all in case you missed it: SuSE Linux running on specific IBM hardware is certified at EAL2. Win2000 was certified at the much higher EAL4, but only under some fairly restrictive circumstances.
Now realistically, EAL4 IS a restrictive certification! Trusted Solaris8 is EAL4 certified. Most default Unix installs might barely pass EAL2. What good is it then?
Read the C|Net article and you'll find that IBM is pursuing EAL3 and EAL4 for SuSE Linux next. That's a Good Thing, for any number of reasons, not the least of which is being able to sell to defense contractors for secure (but not secret or top-secret) level requirements.
Practically speaking though, the different levels, while increasingly restrictive, aren't a scale of security goodness. They serve different effective purposes. Do you WANT an EAL4 system on your desktop? Probably not. Do you want it in your server room? There's a good chance, yeah. Do you want an EAL7 system for anything at all? Unless you're the NSA, probably not. This is an OS designed from the ground up with peer review at every stage (architecture, design, implementation) and independent verification on top of that. It is utterly restrictive--you wouldn't be able to put a web browser on an EAL7 system (or more to the point, you wouldn't be allowed to write and install one for the system without breaking the certification). This is the software that runs the shuttle and nuclear bases.
So basically, let's quit this damned pissing match. EAL2 is good for some things, EAL4 for others, and so forth.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
Jonathan Shapiro wrote a great article analyzing the Windows Common Criteria certification; much of it applies to Linux as well. Among other things, it explains why Windows can get certified even with its remote root exploits: "An EAL4 rating means that you did a lot of paperwork related to the software process, but says absolutely nothing about the quality of the software itself. There are no quantifiable measurements made of the software, and essentially none of the code is inspected."
Most linux/bsd distros default config are quite secure, whereas the default in Windows (which most people use) is extremely open and very vulnerable.
This is true at the moment, but it's changing with new product releases.
For example, on Windows Server 2003, IIS is not installed by default, and if you install it, it binds to localhost only by default. I find this rather impressive for Microsoft because it shows that the company sacrifices trivial installation for more security. I wonder where they are heading. IMHO, it's getting more and more likely that Microsoft crushes the free software competition in the security area. Not because of certification, but because of more reliable software, better product management, courage to make decisions which inconvenience users etc. Right now, their advisories are already among the best the market offers (which also says something about the market, but still I wouldn't have predicted this two years ago).
US military, budgets have held mostly constant
Which US are you talking about? In the United States, we're spending $48 Billion more this year than last. That's the "largest rise in US military spending in 20 years". Don't be fooled, the Pentagon has plenty of money.
Windows does not have security rating, Windows 2000 service pack 3 has a rating.
Windows 2000SP3 has a remote root RPC exploit.
May we never see th
Ok folks,
As someone who just spent the last 2 years of his IT career doing something called "Certification and Accreditation" I can tell you that this IS a big deal.
The DoD has a process called DITSCAP. In a nutshell it is a process that allows you to gauge the level of "risk" that your system presents, and that risk must be assumed by someone in a position of power.
There are many (boring) different kinds of regulations and rules that must be followed based you your confidentiality level, physical location, etc, etc ad nauseum..
Previous to this, if there was a system connected to a gov. network running Linux, it would have to be classified as a high risk simply because it did not meet one of the most simple DITSCAP requirements which says something to the effect of "Are the Commercial Off - The Shelf (COTS) and Government Off - The Shelf (GOTS) products certified?" Previous to this, ANY linux system would fail this requirement and would therefore HAVE to be assigned a higher risk than a win2K desktop. Fair? Hell no, but those are the rules.
The gov. agency running linux would have to go through all kinds of hoops to keep Linux and assume a "higher" risk level OR switch to Solaris and pay big $$$.
So, in doing this IBM was simply testing the waters with a cheaper EAL2 certification in order to see if they even had a chance. Seeing that they do, they will now go forward, and I wouldn't be surprised to see a bunch of other Linux Vendors going forward with their own testing.
So, this is HUGE.. Not just for Suse, not just for IBM, but for the future of Linux in Gov. institutions.
Sorry for the AC post, this is Maleficarum.
Common Criteria's CCPL (Centralised Certified Product List)- OS
/CMW v 6.5.13, with patches 4354, 4451, 4452, 4373, 4473
and the NIST's Validated Products List (Operating Systems).
AIX 5L for PowerPC V5.2, Program Number 5765-E62
B1/EST-X, V2.0.1 with AIX, V 4.3 (Bull)
HP-UX (11i) Version 11.11
IRIX v 6.5.13, with patches 4354, 4451, 4452
IPSO 3.5 and 3.5.1 (Nokia)
Trusted IRIX
Solaris 8 2/02
Trusted Solaris 8 4/01
Sun Solaris Version 8 with AdminSuite v3.0.1
Windows 2000 Professional, Server, and Advanced Server with SP3 and Q326886
C2 refers to ratings under the TCSEC. For government use, the TCSEC has officially been cancelled. Thus, no one is going for C2 anymore. The closest equivalent are products that are compliant with the Controlled Access Protection Profile (CAPP), or soon, the Operating System Profile for Basic Robustness. You can learn more about these profiles at the IATF website.
Daniel
do the tests themselves work. Unfortunately, a lot of stuff in the computing world revolves around windows - so it could be a matter of adding criterium to the test based on what windows does or "is supposed to do."
It's one thing to say "Operating System A this this security feature while Operating System B does not", but it's a moot point when the way in which System B operates makes such a feature unnecessessary anyways, or if there's a better/different way of doing it that isn't written on a sheet of paper.
This is where understanding the Common Criteria and how it works is critical. So take your seats, boys and girls, for a little primer.
The Common Criteria is not a criteria, per se, but a catalog of potential ways to address threats. When one writes a security target, one begins by enumerating the environment in which the product works: the assumptions, the threats the product will address, the threats the environment will address, and the policy. One then creates objectives for both the product and the environment to address those threats. To implement each of the objectives, one selects components from the CC.
In a security target (ST), this is a statement of "This is what I do". A Protection Profile (PP) is a statement of "THis is what I want". One can build a target that is compliant with the PP, this is "You want this; here's how I give it to you".
But the key thing is that the target details the functionality the product claims. The evaluation process provides confidence that what is claimed is what is implemented.
Confidence, or in CC speak, assurance, comes in a variety of areas: how the design was documented and developed, what guidance is given users, how throughly the product was tested, whether configuration management was in place, etc. These assurance areas are arranged into a set of 7 EALs, where EAL1 is "I ran a test and it worked", and EAL7 is formally specified and verified with penetration testing, etc.
Well, that's a quick introduction. Hopefully, this helped.
Daniel
(Want to learn more about security? Attend the Applied Computer Security Applications Conference, (ACSAC).