IBM Clinches Security Certification for Linux

Nimey writes "IBM has gotten Linux certified under the Common Criteria specification. " What this means is that government can consider Linux when making purchasing decisions. Linux got the highest rating possible.

Another link

[manduwok]

CNN.com has this story too.

Re:Another link

[plaa]

The CNN article (as some others I found using Google News) point out a few important facts that were omitted from the Yahoo story. A few important quotes:

Linux was certified as providing only "low to moderate" security, compared with the same group's certification as "moderate to high" last year of the security of Microsoft's Windows 2000 software. Supporters said Linux software, whose popular mascot is a penguin, was under testing for better-security ratings.

So it isn't yet certified at the same level as Windows.

The approval, being announced Tuesday, involves only one version of Linux, from SuSE Linux AG, a vendor based in Nuremberg, Germany, when the software is installed on a particular line of IBM's server computers. IBM, which paid roughly $500,000 for the testing, and SuSE were announcing the certification jointly.

So if anybody else wants to be selling Linux to the US government, they have to shell out those hundreds of thousands of dollars themselves.

So maybe not much use for the overall community, but certainly a landmark in the history of Linux, and it shows that it certainly can be done!

Big win for Linux!

Microsoft set out to get Win2K certified and only completed the process last October according to .

Linux now has the upper hand because MS does not yet have XP certified.

Re:Alright...?

[azzy]

I think what this means is that they can pick Linux and have a piece of paper supporting their choice. Got to cover their own backs I guess.

Re:Just wondering..

[nakhla]

I believe Linux received an EAL 2. Windows 2000, however has received an EAL 4. An EAL 4 involves more security checks and requirements.

Over-hype - not highest rating possible

[eer]

The EAL2+ assurance level achieved is NOT the highest rating possible by a long, long shot - it's actually close to the lowest. But, it's a great start.

IBM and SuSE say they're working on a higher level CAPP evaluation, which roughly equates to the old C2 TCSEC criteria.

Re:Just wondering..

Check out here: http://www.commoncriteria.org/

Wrong. Wrong wrong wrong...

[kiwimate]

IBM has gotten Linux certified

Correction -- they got SuSE Linux certified. This only applies to SuSE. Incidentally, it cost them $500,000.

Linux got the highest rating possible

No it didn't. FUD. According to this story...

Linux was certified as providing only "low to moderate" security, compared with the same group's certification as "moderate to high" last year of the security of Microsoft's Windows 2000 software. Supporters said Linux software was under testing for better-security ratings.

In fact, I'd suggest people look at the story in the Inquirer linked above -- it gives a little more information as well as some light commentary.

Re:Alright...?

[eyegor]

According to the articles, Win2k got an EAL4 (click here) and Linux got an EAL2+ (suse press release)

It's still good to see Linux get this certification though. It's another step towards displacing Windows.

windows certifications

[non]

if you're curious about some of the history of microsoft and the certication of windows for government work, click here, and look elsewhere for the story of ed curry. its been linked to here on slashdot before.

if you want to know more about what the eal4 certification that windows 2000 sp3 currently has, click here.

Re:Can vs. Will

[idontgno]

There are a lot of factors, indeed, but at in least one US military IT acquisition that I'm familiar with, the choice of OS platform was driven purely by purchase cost. That's why this contract chose Major-Brand (tm) PCs with some flavor of RedHat (with support contract) to succeed Sun Ultra workstations running Slowlaris(tm), the incumbent system in the field. Customer wanted to drive the acquisition cost down down down.

Even the greediest government agency has to operate within budget, after all. And in the US military, budgets have held mostly constant while obligations associated with things like war-fighting have gone up, so your non-combat line items get shrunk to make up the difference.

Re:Just wondering..

You can get an overview at networkcomputing.com or at the common citeria web site.

The significance of EAL2,3,4, etc.

[swordgeek]

First of all in case you missed it: SuSE Linux running on specific IBM hardware is certified at EAL2. Win2000 was certified at the much higher EAL4, but only under some fairly restrictive circumstances.

Now realistically, EAL4 IS a restrictive certification! Trusted Solaris8 is EAL4 certified. Most default Unix installs might barely pass EAL2. What good is it then?

Read the C|Net article and you'll find that IBM is pursuing EAL3 and EAL4 for SuSE Linux next. That's a Good Thing, for any number of reasons, not the least of which is being able to sell to defense contractors for secure (but not secret or top-secret) level requirements.

Practically speaking though, the different levels, while increasingly restrictive, aren't a scale of security goodness. They serve different effective purposes. Do you WANT an EAL4 system on your desktop? Probably not. Do you want it in your server room? There's a good chance, yeah. Do you want an EAL7 system for anything at all? Unless you're the NSA, probably not. This is an OS designed from the ground up with peer review at every stage (architecture, design, implementation) and independent verification on top of that. It is utterly restrictive--you wouldn't be able to put a web browser on an EAL7 system (or more to the point, you wouldn't be allowed to write and install one for the system without breaking the certification). This is the software that runs the shuttle and nuclear bases.

So basically, let's quit this damned pissing match. EAL2 is good for some things, EAL4 for others, and so forth.