IBM Clinches Security Certification for Linux

Nimey writes "IBM has gotten Linux certified under the Common Criteria specification. " What this means is that government can consider Linux when making purchasing decisions. Linux got the highest rating possible.

Just wondering..

[CausticWindow]

What are the ratings and how does other common OS's score? Anybody know?

Re:Just wondering..

[nakhla]

I believe Linux received an EAL 2. Windows 2000, however has received an EAL 4. An EAL 4 involves more security checks and requirements.

Re:Just wondering..

Check out here: http://www.commoncriteria.org/

Re:Just wondering..

You can get an overview at networkcomputing.com or at the common citeria web site.

Re:Just wondering..

[TedCheshireAcad]

If Win2k gets a higher rating than Linux, then why do we have stuff like this happening?

Isn't it odd that a "comprehensive security rating" can overlook something as serious as a complete remote compromise?

Re:Just wondering..

[evenprime]

TedCheshireAcad asked

If Win2k gets a higher rating than Linux, then why do we have stuff like this happening?

Isn't it odd that a "comprehensive security rating" can overlook something as serious as a complete remote compromise?

No, it is not odd. It is expected, in fact. Microsoft's rating was for common criteria "CAPP/EAL4". The CAPP part means that the OS provides "a level of protection which is appropriate for an assumed non-hostile and well-managed user community requiring protection against threats of inadvertent or casual attempts to breach the system security". I don't consider the internet to be a non-hostile and well-managed user community, so I'm not the least bit surprised that hostile remote attacks are possible. The evaluations didn't say that it was safe to hang the microsoft box - or the linux one - on the internet.

These lower level security evaluations don't mean much in terms of real security out on the big scarey internet; i.e. the situation most of us find our machines in all the time. (This has been discussed on slashdot before.) Basically, all that is necessary to get one is that you document *everything* and then throw a pile of money into having a government-approved independent organization evaluate your product and make sure that it does what the documentation says it does. If your product behaves as your documentation says it does, you get the certification. It is worth noting that OpenBSD, who have only had one remote hole in the default installation in seven years, have avoided these types of certifications for a long time. Look at Theo's comments on the C2 rating in the Orange Book (the predicessor of the common criteria.) This is the formal description of EAL4 in the official list of evaluation levels

EAL4 - methodically designed, tested and reviewed

EAL4 permits a developer to maximize assurance gained from positive security engineering based on good commercial development practices. Although rigorous, these practices do not require substantial specialist knowledge, skills, and other resources. EAL4 is the highest level at which it is likely to be economically feasible to retrofit to an existing product line. It is applicable in those circumstances where developers or users require a moderate to high level of independently assured security in conventional commodity TOEs, and are prepared to incur additional security-specific engineering costs.

An EAL4 evaluation provides an analysis supported by the low-level design of the modules of the TOE, and a subset of the implementation. Testing is supported by an independent search for vulnerabilities. Development controls are supported by a life-cycle model, identification of tools, and automated configuration management.

Notice that the goal is to "retrofit" a product line with security, and only to the degree that doing so is "economically feasible". Compare that with Bruce Schneier's comment that "Security isn't easy, nor is it something that you can bolt onto a product after the fact." No one should be surprised that feature-rich, general purpose operating systems designed for quick and easy use (i.e. everything turned on by default) are vulnerable.

Another link

[manduwok]

CNN.com has this story too.

Re:Another link

[plaa]

The CNN article (as some others I found using Google News) point out a few important facts that were omitted from the Yahoo story. A few important quotes:

Linux was certified as providing only "low to moderate" security, compared with the same group's certification as "moderate to high" last year of the security of Microsoft's Windows 2000 software. Supporters said Linux software, whose popular mascot is a penguin, was under testing for better-security ratings.

So it isn't yet certified at the same level as Windows.

The approval, being announced Tuesday, involves only one version of Linux, from SuSE Linux AG, a vendor based in Nuremberg, Germany, when the software is installed on a particular line of IBM's server computers. IBM, which paid roughly $500,000 for the testing, and SuSE were announcing the certification jointly.

So if anybody else wants to be selling Linux to the US government, they have to shell out those hundreds of thousands of dollars themselves.

So maybe not much use for the overall community, but certainly a landmark in the history of Linux, and it shows that it certainly can be done!

Big win for Linux!

Microsoft set out to get Win2K certified and only completed the process last October according to .

Linux now has the upper hand because MS does not yet have XP certified.

Re:Big win for Linux!

[EvilTwinSkippy]

Excuse me? Windows 2003 is an entirely new product and requires an entirely new certification.

Linux DOES have an advantage. I can always get support for a old version of a distro. (Worst case, I AM the support.) Now here we are in 2003. It takes M$ 2 years to get Windows certified. They stop shipping the product after 3 years, and pull the plug after 5. That means you have, tops, 3 useful years of a M$ product in a sensitive environment. Less when you consider implementation time.

People gripe about how the space shuttle runs on old equipment, but you have to remember, there are plenty of installations that require computing hardware to be embedded for decades. Think factory equipment, weapon systems, utilities, traffic lights, aircraft.

When engineering those systems you use the most stable installation you can find, strip it down to just what you need, and run it until you can't buy parts for it anymore.

Now how do you do that within a 5 year Window again?

Re:Alright...?

[azzy]

I think what this means is that they can pick Linux and have a piece of paper supporting their choice. Got to cover their own backs I guess.

Red Hat / Oracle

[jmkaza]

According to this article, Red Hat and Oracle are working on gaining the same level of certification by the end of the year.

Re:Can vs. Will

And you think IBM doesn't know how to handle bureaucrats? They invented the game and probably patented it as well.

It must really be secure then...

[Dot.Com.CEO]

I mean, look at all the other level 4 assurance level OSs here . Of course, Windows 2k has had this certification since last year AND Microsoft has prepared a nice guide for ensuring compliance to the common criteria guides for the Windows Sysadmin. I'm very glad that Linux will be able to compete with Windows on a bureaucratic level as well as on technical merit, but perhaps there is a slight overreacction from the part of the /. editors?

Re:It must really be secure then...

[Mr+Bill]

Microsoft has prepared a nice guide for ensuring compliance to the common criteria guides for the Windows Sysadmin

Does it include removing the Ethernet card from the system???

Linux in Government

[Sogol]

I'm a sysadmin for a large government data center. We've been using Linux in production for years, and we always purchase boxed distributions, even some preconfigured(!) machines from Dell. Government regulations do, however, prevent me from ordering Windex and Duster. These are considered janitorial supplies, and there is no justification in Information Systems procuring these items. So frankly, I'm not sure what all the fuss is about. Things look a lot different on the ground.

Over-hype - not highest rating possible

[eer]

The EAL2+ assurance level achieved is NOT the highest rating possible by a long, long shot - it's actually close to the lowest. But, it's a great start.

IBM and SuSE say they're working on a higher level CAPP evaluation, which roughly equates to the old C2 TCSEC criteria.

Re:Thank you IBM

[DarkSarin]

Glad to see they aren't letting SCO scare them away from giving Linux their support time after time

Did you seriously think that they would? If so you need to share some of the dope you've been smoking. As has been said numerous times on this board: to IBM, SCO is nothing more than an annoying mosquito. They might be carrying West Nile, but they are still just a mosquito, and can be crushed or captured almost any time.

The cool part about this whole article is that with the security cert, the government could begin switching some of their offices over. It also means that organizations like hospitals (who need to be concerned with privacy due to HIPAA) can be sold on the fact that it is secure and they don't have to worry as much about some hacker stealing confidential information.

Think about it.

Re:Can vs. Will

[Liselle]

Don't underestimate how cheap people can be. It goes hand-in-hand with greed. Windows is not precisely free.

Members of government are also accountable to their constituents. As people become more and more aware of Linux, they will also become more aware of the security problems with Windows. A few years ago, there was no basis for comparison. Now there is, and the more information that gets out there, the better. It's cliche' now to say this, but the days are numbered for stranglehold Microsoft holds, one way or the other.

Wrong. Wrong wrong wrong...

[kiwimate]

IBM has gotten Linux certified

Correction -- they got SuSE Linux certified. This only applies to SuSE. Incidentally, it cost them $500,000.

Linux got the highest rating possible

No it didn't. FUD. According to this story...

Linux was certified as providing only "low to moderate" security, compared with the same group's certification as "moderate to high" last year of the security of Microsoft's Windows 2000 software. Supporters said Linux software was under testing for better-security ratings.

In fact, I'd suggest people look at the story in the Inquirer linked above -- it gives a little more information as well as some light commentary.

Re:Alright...?

[eyegor]

According to the articles, Win2k got an EAL4 (click here) and Linux got an EAL2+ (suse press release)

It's still good to see Linux get this certification though. It's another step towards displacing Windows.

windows certifications

[non]

if you're curious about some of the history of microsoft and the certication of windows for government work, click here, and look elsewhere for the story of ed curry. its been linked to here on slashdot before.

if you want to know more about what the eal4 certification that windows 2000 sp3 currently has, click here.

Re:Can vs. Will

[sporty]

Well, look at it this way. If you couldn't, trying would be futile. Sorta like trying to get water/blood from a stone. But, with linux certified, saying that you will not even have one supporter of linux in gov't just got a little unreasonable.

You have big corps like IBM, HP and Dell saying, "it's ok."
You have many countries saying "It's ok, see?"
You have the US (via certification) saying "it's ok."

Seems more unreasonable to say it will never happen every other day.

Re:Can vs. Will

[idontgno]

There are a lot of factors, indeed, but at in least one US military IT acquisition that I'm familiar with, the choice of OS platform was driven purely by purchase cost. That's why this contract chose Major-Brand (tm) PCs with some flavor of RedHat (with support contract) to succeed Sun Ultra workstations running Slowlaris(tm), the incumbent system in the field. Customer wanted to drive the acquisition cost down down down.

Even the greediest government agency has to operate within budget, after all. And in the US military, budgets have held mostly constant while obligations associated with things like war-fighting have gone up, so your non-combat line items get shrunk to make up the difference.

Re:Can vs. Will

[keester]

The fact is that developers can now start recommending Linux. Anti-Linux / Pro-Windows people can no longer use the excuse that Linux isn't an "approved" OS.

Surprisingly, it can be hard to convince most people in government positions, civil service, military, contractors, etc., that _we_ don't want to pay for Window's licenses, and _we_ don't always need to spend waaayyyy too much money on waaayyyy too much hardware.

This is great news for people that work for the government. Kudos to IBM for footing the bill on this, as it is an expensive process.

Re:Can vs. Will

[jellomizer]

Well IBM is a force to be reckoned with as well. In some ways a little more then Microsoft. Especially in New York State, where almost all the agencies use IBM products. But it was IBM who brought Microsoft into the mainstream. And they can probably bring Linux into the mainstream. It will not be an overnight adoption but a gradual one.

High and higher

[Rutje]

Linux got the highest rating possible

The highest rating for linux is Bill Gates using it (secretly at home)!

Re:Are there any secure Os's out there?

[dema]

Mac OS X.....duh!

When was the last time someone made a virus for a mac?

Security By Lack Of Popularity they call it. (:

SuSE, not Linux

[perly-king-69]

Excuse the pedantry, but doesn't this mean SuSE running on IBM boxes got certified, not Linux per se?

CC is just not that simple.

[Osrin]

1) CC != Security, CC == Trust. EAL2 is close to the lowest level of evaluation and if my recollection of the eval levels is correct (it's been a while), EAL2 basically says that somebody somewhere might be able to find the documentation behind all the code if they went looking for it. Win 2k got EAL4 which is a full code and documentation review.

2) When you put a product into CC you define a protection profile, the weight and value of the evaluation is based upon the complexity of that profile. It would be useful to see the profile for this eval. It is possible (in theory at least) to get a product through CC by defining a profile that outlines what happens when you click on the "Red Hat". The more you exclude the more quickly you get through the process, but conversely the less interesting the evaluation is to government.

3) For those of you that feel this steals a march over WinXP, be aware that WinXP is in evaluation and the protection profiles that it is being evaluated under are public. Microsoft are doing a far more extensive job with XP than IBM did with Linux. When a Government procurement organisation comes to buy product, even for systems classified as SECRET, the fact that a product is in evaluation is generally enough, this is certainly true outside of the US.

Don't get me wrong, this is a great start and will certainly spread a lot of marketing fud but it does not mean a great deal to the government community. If anything it will raise a series of questions about why Microsoft's so called 'in secure' product can achieve EAL4 when the Open Source Linux offering can only scratch through EAL2.

Tread carefully.

Smell those contracts

[Teahouse]

This announcement means only one thing. IBM would not have gone through this trouble unless there were a few large contracts (DARPA/DOD) that will underwrite the expense in the future. Think I'll buy a few more shares of IBM stock today.

Re:Are there any secure Os's out there?

[SmallFurryCreature]

ehm slight failure on youre part of understanding how it was tested.

Linux was tested for test "low and moderate" security and passed. It was not tested for anything higher so we don't now if it would have failed those.

The tests costs lots of money and time, so you start at the bottom and work youre way up. It is like say a soccer team passing the semi-finals, you don't then say, oh that means they missed the finals? No that is yet to come.

Re:In your face!

[Osrin]

The terms CC and "security" should never be used in the same sentence, CC is not about security it is about trust.

The significance of EAL2,3,4, etc.

[swordgeek]

First of all in case you missed it: SuSE Linux running on specific IBM hardware is certified at EAL2. Win2000 was certified at the much higher EAL4, but only under some fairly restrictive circumstances.

Now realistically, EAL4 IS a restrictive certification! Trusted Solaris8 is EAL4 certified. Most default Unix installs might barely pass EAL2. What good is it then?

Read the C|Net article and you'll find that IBM is pursuing EAL3 and EAL4 for SuSE Linux next. That's a Good Thing, for any number of reasons, not the least of which is being able to sell to defense contractors for secure (but not secret or top-secret) level requirements.

Practically speaking though, the different levels, while increasingly restrictive, aren't a scale of security goodness. They serve different effective purposes. Do you WANT an EAL4 system on your desktop? Probably not. Do you want it in your server room? There's a good chance, yeah. Do you want an EAL7 system for anything at all? Unless you're the NSA, probably not. This is an OS designed from the ground up with peer review at every stage (architecture, design, implementation) and independent verification on top of that. It is utterly restrictive--you wouldn't be able to put a web browser on an EAL7 system (or more to the point, you wouldn't be allowed to write and install one for the system without breaking the certification). This is the software that runs the shuttle and nuclear bases.

So basically, let's quit this damned pissing match. EAL2 is good for some things, EAL4 for others, and so forth.