Slashdot Mirror
SUSE Awarded EAL4 Certification
An anonymous reader writes "Following in the wake of its previous certifications, Novell's SUSE Linux Enterprise Server 9 has achieved EAL4 certification on 'an IBM eServer.' This puts SLES9 in the same league as Windows 2000 for sales in the government sector and is the first Linux distro to achieve an EAL4 certification."
.......oh fuck!
It's really a matter of money and time.
And less Windows is allways a good thing.
Bits of News
Hopefully this will make more enterprises/companies/governments go for GNU/Linux and open standards. Anyway, it's about time. :-)
Why do i have to be so lazy?
While some of these certifications seem silly and almost obvious (as in "well of COURSE it can do that").
We should remember, for non-technical people (i.e.: most of the government) this is all they have to judge tehcnical suitability for the job. And like the beauracrats they are, they adhere pretty strictly to these things.
So yes, it is a big deal that a major distro's broken through some of the red tape.
Maybe I missed it in the article, but I am curious if it was on a pSeries or xSeries. SLES9 on a pSeries box is a damn good combination. On the xSeries, it's o.k. but you do not have the peace of mind you get with the pSeries hardware.
I feel a little more confident in our military using that than MS windows on cheap beige boxes.Flexible bare-metal recovery for Linux/UNIX
What is EAL4 in 50 words or less?
It certifies SLES 9 as being in the same league as Windows 2000.
Wow, I guess Mr. Gates and company must be biting their nails. 2000 has that certification yet XP, the best product with "advanced security technologies" has nothing.
Well I guess it means times have changed. Linux is a big player in the game now and Microsoft needs to realize this and stop denying. False statements hurt worse than the bitter truth of "your product isn't good enough". I rather trust a company and have something that works okay and secure than some company that hides facts and has a better product in some ways, just not security.
It is funny how someone came out with a report saying windows is more secure, but is that based off the experimental code or source and which distribution. Novell and SuSE have always taken security as a priority and it shows.
Maybe the zealots can stop screaming that EAL certification is just a money thing or that it's worthless just because Win2k was certified EAL4.
I put all my efforts and support in Suse about 2 years ago and all my eggs in the Linux basket (in general) about 4 years ago.
I saw Redhat blink so I took the Suse path.
No regrets...
I can see a little dim hope that some corp's and gov's will more away from Windows and switch to Linux. But i dont know how realistic this is. Still i hope.
Bits of News Giving you the latest bits.
Red Hat Enterprise Linux 4 has very recently been released. One imagines that it will be at EAL4 itself very shortly.
CC evaluation is not an automatic thing. The sponsoring company (in that case Microsoft) pays for the evaluation. A target is generated, which details hardware and software configurations. This can take months. Then the actual platform itself is evaluated, which can also take months, especially if deficiencies are found and corrected. Win2k was released in 2000, but didn't get CC evaluation until 2004. There's a hint.
I totally regret using Red Hat first. Suse is indeed the better road. I'd love to see the gov't be run on linux :D
Re: XP's non-cert status...
People tend to like things that are tried and true and are known to run solid.. Or with small incremental changes, done carefully.
The problem with XP is two-fold.. first.. it (the "jump" to XP) was just that, a jump, that wasnt all that carefully considered beforehand (MS just figured that most people would go with it, because after all, it IS the latest and greatest).
Second, MS marketing actually shot them in the foot here. They marketed this as the "hot new thing", "new and improved", "great new features", etc. Now, while this technique tends to work well on the general american public... it does not fly well with the government, who would much perfer "increased stability" concurrent with "improved performance". That is, they want exactly what they have but better. They dont really want the architecture that they understand pulled out from under them and replaced with a whiz-bang new thing, because, from experience, they know that sort of replacement tends to lead to troubles in critical situations.
And on the whole, they're right.. if you must must must have a system that works, it's much better not to induldge in new and potentially useless features at the expense of a solid system.
I put all my efforts and support in Suse about 2 years ago and all my eggs in the Linux basket (in general) about 4 years ago.
I did the same thing. There's been a few warts (configuring Samba, some graphics issues which weren't well documented) but it's generally been good. SuSE is pretty easy to work with, reasonably polished. They could do a better job keeping up with some of the big name open source software like Mozilla through the official update channels (they're usually a few versions behind) but since I can install that myself, no biggie. SuSE has been good to me. Easy to install and stable as heck.
Only serious problem I'm running into is a with an Adaptec 1210SA controller that Suse doesn't like. (I understand it's more of an Adaptec shitty-driver problem than a Suse problem - anyone have any recommendations on a 32 bit SATA raid controller that actaully works?) I have a workaround though so it's not an emergency...
I think the MS has improved on that with 2k, etc. , but I'm not sure.
"It is a greater offense to steal men's labor, than their clothes"
Ooops...MacOS X is EAL3 not 4...my bad..unless I missed something somewhere
This certification has almost nothing to do with actual security problems you would encounter in the real world. Getting XP or SusE certified would do nothing to stop viruses/spyware/hackers/etc.
Netware is entrenched in goverment organisations. therefore Suse/Novell open server needs to be rubber stamped ASAP.
Well, the EAL4 certification is only just a bunch of paperwork. It certifies that the company who got it, did a lot of paperwork describing what the product does to be secure and _no_ check, in whatever kind, is made by the goverment to certify that the claims are indeed true. Also, the claims that need to be made are really trivial and almost all s/w vendors can claim conformity. There is no point comparing security of win2k and linux based on that cert...
Don't they run US battleships on Windows NT? Is that the "C2" certification? Is there a Linux distro with that cert?
--
make install -not war
Have fun !
That, my friend, is probably the most succinct description of what is wrong with the world of personal computing that I've heard yet.
The only thing I would add is that this applies all across the board. Home users and corporate office users are in the same boat: they often have no interesting in "upgrading" to get more whiz-bang because they don't need it and don't want the headaches. That's the essentially conservative attitude that the bulk of users have, because any significant change means they may have to spend time and money they don't have to learn something new, deal with problems that weren't there before, and may find their shiny new OS and apps interfering with getting their jobs done. Microsoft's feature-oriented marketing and forced upgrade cycles have probably caused more lost man-hours than the common cold.
The higher the technology, the sharper that two-edged sword.
Amongst the things required to make Windows NT 3.5 C2 compliant were disconnecting the removable media, removing the network connection and disabling the OS/2, POSIX and DOS subsystems. Amongst other things.
After you were done doing this, of course, NT 3.5 was only useful as a kiosk. Most applications that would benefit from C2 certification in the past were 'stovepipes' that don't interact with other applications, so this was okay.
This isn't poking fun at MS. This is how it got certified. Then, they assumed that 3.5 being C2 certified meant NT 3.51 and 4.0 were. They were incorrect.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
The French Ministry of Defense will put up 7 million over the next three years to fund an industrial consortium building a Linux-based operating system that can achieve EAL5 certification. The coalition includes Bertin Technologies, SURLOG, Jaluna, Mandrakesoft, and OPPIDA.
BTW. There are Server and Embedded Linux version that has achieved Telecom Carrier Grade certification for reliablity. Microsoft won't try to get Telecom Carrier Grade certification for Windows because it is too unreliable.
"There is no point comparing security of win2k and linux based on that cert... "
Here's the obvious point: If you are trying to SELL it it matters. Discussing it on slashdot and what it really means or does is one thing, getting some org or agency or corporation to drop x-millions of dollars in your lap for your product is another. One of the main complaints about Linux that you read over and over is "how do you make money with open source software"? Well, here's one way to make that a reality. Jump through the hoops they set up for consideration. No jumping, no consideration. Emphasizing skins and themes and whether or not you can play some video game and such like noise is cute,and seemingly a major part of most distros out there, but if you want to be taken seriously where the big dogs play with their checkbooks, you got to toe some of the lines they have drawn in the sand.
If it were easy to do and almost all major vendors could claim complience then why wouldn't MS make sure that XP was certified. They made a big deal about Win2000 certification when they got it. It's cheap marketing for MS and fuel for their FUD engine, which they know they need to keep fed. I doubt that MS simply doesn't care about certification or couldn't put enough resources behind the process to get it done.
Now I don't doubt that EAL certs. are mostly a bunch of paper shuffling and hand waving but then again it doesn't seem like they come in crackerjack boxes either. Otherwise MS _would_ have certs for XP.
I'm sure Gates would have like to have been able to say , "Hey, XP's EAL4 certified by the US government" when asked about MS's commitment to security and stability recently.
Kind Regards
"A few great minds are enough to endow humanity with monstrous power, but a few great hearts are not enough to make us w
It doesn't matter that Microsoft doesn't have EAL4 for WinXp yet. They are in the process of getting it, and that is all that matters for the ability to use the product where that certification level is required.
Currently government agencies are allowed to use RHELv3 and 4 in areas that require EAL4 because Red Hat is in the process of obtaining it.
Disclaimer: I work for the IBM Linux Technology Center; any comments I make are entirely my own.
It's really a matter of money and time.
And blood, sweat, and tears. You're talking to a guy who spent countless hours drafting hundreds of pages of low-level design documentation on the Linux kernel and set of trusted userspace applications in order to help satisfy the CAPP/EAL4 requirements. True, IBM paid me to do it, but the effort is far from trivial, and Linux's reputation gets a nice bolster when things like security certification happen.
Back when my team achieved CAPP/EAL3 certification, the general attitude on Slashdot was, ``Great, but wake me up when we get EAL4.'' Well, now we've got EAL4. We have a secure protection profile ironed out, documented, and deployed, which helps immensely with setting up a locked down Linux box. We have engineers who have been given the job to review thousands of lines of source code and to write and run a battery of tests to verify that Linux kernels and applications really do, from a security standpoint, just what they claim to do, and they do it right. But I think, more than anything, that this is a strong indication of Linux's maturity. For the public sector, this satisfies a core requirement of many contracts. For the private sector, this is one more thing to impress the boss when advocating Linux solutions.
An unjust law is no law at all. - St. Augustine
go linux?
How dare you try to take the limelight away from the beloved Linux. Linux is teh r0xerz!!!1
That's exactly what it is... which is yet another facet of the differences between Novell and Red Hat. Novell has the money to apply their resources across a much broader spectrum than Red Hat - just by virtue of having more money. Also, they have much more staff on the payroll - and by extension, more time (read: manhours).
IBM paid for it. IBM's engineers did it. They do this kind of thing on behalf of the distro's it uses on its hardware. It has absolutely nothing to do with the resources of Novell or what not; IBM would certify Debian, if IBM's customers demanded it.
IIRC, EAL is based on a specific version of the operating system, running on specific hardware. It's relatively pointless (IMO) to certify a desktop operating system which can run on a myriad of hardware - or you would certify, but only on a very limited range of hardware. It probably means relatively little.
But Novell/SuSE also deserves credit for running a top-notch configuration management system (Autobuild), having controls and procedures for keeping track of where which patches that get incorporated come from, and for having a patch notification and publication process that enables customers to get timely notification of necessary patches.
The business processes surrounding manufacturing the distribution and supporting customers on a global basis are valuable Novell/SuSE contributions.
Disclaimer: I work for Novell and work with the folks at SuSE on a daily basis.
...it is a real punch against M$ propaganda about Linux being insecure... anytime M$ tells the public that Linux is insecure we can say that we've got the same certification as they have...
It's really a _lot_ of paperwork and I'm sure that MS got that cert everywhere it really matters. As for linux, seeing distros get that cert means that they have certain hopes to see linux in some places that require EAL4. Nothing more.
"I'm sure Gates would have like to have been able to say , "Hey, XP's EAL4 certified by the US government" when asked about MS's commitment to security and stability recently."
I'm sure Bill can say better and lower priced nonsense than that.
The CSI publishes annual reports with lots of numbers, but usually obscure the fact that these numbers are obtained from voluntary and unverified sources (meaning there's no way to establish the accuracy or veracity of the numbers!)
Also, what's an example of lying by implication here is the 93% of breached companies going out of business. This number could come from anywhere. In the Western world 2 out of every 3 startup companies go out of business within 1-2 years. How does that factor into this number?
Come on, I dare you, how can this not set off your bozon alarm? CSI publishes numbers that promote and justify its existence, but doesn't actually do anything that security experts pay attention to (except laugh when they recognize the CSI graphs in some bozo's Powerpoint presentation..)
Seriously. I live and die by the availability of such certifications. Even if we don't really implement it exactly, it's nice to be able to point to this and say, HEY, SLES 9 is EAL4 (mutter: in that configuration), it's perfectly fine! And it's business as usual, albeit with one less win2k paperweight (which doesn't really have a valid EAL cert either, so who's fooling who?)
If I could give you a hug, I would.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
provided that they trust the people responsible for maintaining and operating said system, and demonstrating that all compartmentalization/security requirements are met, etc. etc. I knew people running FreeBSD, non-trusted Solaris, generic Linux w/SNARE. etc. on SIPRNET. And DISA was fine with it. I don't know if there was other documentation in place to make that possible, but apparently it wasn't a problem.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
http://www.mvista.com/products/cge/features.html
They also make a version targetted for embedded/settop uses.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
I was being sarcastic
The US retired the Rainbow Series a while ago, but EAL4 is about a close approximation to C2.
Nope....
The CAPP (as used in the Linux evaluations) is the C2 equivalent and it only mandates EAL3.
cheers
afx
Life is too short for crappy pictures.
Security? That thing has more holes than swiss cheese! All applications are run on a single box, with clients connecting via Citrix. That box is typically Windows. Windows doesn't have Orange Book B-grade compartmentalization. This means that if you were to break into that box, you would see absolutely everything that everyone is doing.
Connections are secure, using client-side and server-side certificates. That's the one piece of competent engineering in the whole bundle. However, because of the total centralization on an insecure platform, it is totally wasted. The security is no better than the weakest link. Beefing up the network security is good, but because clients and servers are all insecure systems, what good is it?
The next part of NMCI is the enforced seperation between unclassified and classified networks. That is good, but it was largely the practice anyway so that offers no advantage.
Lastly, NMCI install contracts tended to be politically awarded, rather than based on technical merit. The installers had minimal or no clearance. Anybody could be an installer. It was a minimum wage (or less) job. With anybody being able to do the installs, and nobody with any skills wanting to, any of those machines might have a rootkit or a stealth virus. There would be no way of knowing and, frankly, I wouldn't trust any of those I worked with to be able to run the necessary tests.
Result? The security benefits are practically nil, because you can't trust anything that does work, and you can't even trust any component of the system TO work.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
There is at least one product that has been Evaluated at the EAL5 or higher level. I forget whether it was in the US or UK. I didn't check all the signatories when I was looking. Recall that EAL5 or higher Evaluations are given by specific countries and are not recognized generally by other countries.
And EAL4 is a significant achievement. Now try for EAL5 and that is something absolutely huge. There is only one OS in evaluation at that level right now and it's Evaluation has streatched years. And millions.
I've been looking on the Microsoft site to get an idea of security accreditations, but it's impossible to find. Does anyone have a link to what version of MS has passed which accreditation (and in what way, because I'm not impressed with the NT C2 rating)"
= Ch =
Insert
Yes, this puts SUSE in the exact same league as Win2K... they both received the same certification. Please pay attention to the protection profile. Both operating systems received EAL4 certification against the CAPP (Controlled Access Protection Profile). In a nutshell, this means that a potential user _must_ log into the machine with a valid username and password (and that fact is audited) before they are granted access. For those who remember Win95, you can't hit the escape key when the login screen pops up and get access.
This DOES NOT mean the O/S would be accredited at C2 (or any other level in the Orange Book - for those who remember that tome).
Though I'm posting AC, I'm a software engineer and a member of the IEEE, the IEEE Computer Society, and the IEEE Standards Association - I know of what I speak.