Slashdot Mirror
SUSE Awarded EAL4 Certification
An anonymous reader writes "Following in the wake of its previous certifications, Novell's SUSE Linux Enterprise Server 9 has achieved EAL4 certification on 'an IBM eServer.' This puts SLES9 in the same league as Windows 2000 for sales in the government sector and is the first Linux distro to achieve an EAL4 certification."
It's really a matter of money and time.
While some of these certifications seem silly and almost obvious (as in "well of COURSE it can do that").
We should remember, for non-technical people (i.e.: most of the government) this is all they have to judge tehcnical suitability for the job. And like the beauracrats they are, they adhere pretty strictly to these things.
So yes, it is a big deal that a major distro's broken through some of the red tape.
Wow, I guess Mr. Gates and company must be biting their nails. 2000 has that certification yet XP, the best product with "advanced security technologies" has nothing.
Well I guess it means times have changed. Linux is a big player in the game now and Microsoft needs to realize this and stop denying. False statements hurt worse than the bitter truth of "your product isn't good enough". I rather trust a company and have something that works okay and secure than some company that hides facts and has a better product in some ways, just not security.
It is funny how someone came out with a report saying windows is more secure, but is that based off the experimental code or source and which distribution. Novell and SuSE have always taken security as a priority and it shows.
Maybe the zealots can stop screaming that EAL certification is just a money thing or that it's worthless just because Win2k was certified EAL4.
Re: XP's non-cert status...
People tend to like things that are tried and true and are known to run solid.. Or with small incremental changes, done carefully.
The problem with XP is two-fold.. first.. it (the "jump" to XP) was just that, a jump, that wasnt all that carefully considered beforehand (MS just figured that most people would go with it, because after all, it IS the latest and greatest).
Second, MS marketing actually shot them in the foot here. They marketed this as the "hot new thing", "new and improved", "great new features", etc. Now, while this technique tends to work well on the general american public... it does not fly well with the government, who would much perfer "increased stability" concurrent with "improved performance". That is, they want exactly what they have but better. They dont really want the architecture that they understand pulled out from under them and replaced with a whiz-bang new thing, because, from experience, they know that sort of replacement tends to lead to troubles in critical situations.
And on the whole, they're right.. if you must must must have a system that works, it's much better not to induldge in new and potentially useless features at the expense of a solid system.
This really only makes a difference in the federal sector here in the U.S., as commercial firms might be interested in CC, they understand that CC really doesn't mean a whole lot. For the federal sector, this is only one half of the whole ball of wax.
Just about every DoD or other federal government RFP these days requires that every part of the solution be CC EAL 3 or greater because of DoDD 8200.1 and other mandates. Without CC, you can't be considered, no matter how much better your solution is than the relatively limited menu of certified options.
The other half is FIPS 140-2, which covers data encryption. If you don't have FIPS 140-2 you can't play ball, and even then in some places like the U.S. Navy, there's another layer of certifications for NMCI and such. So however we might celebrate SLES EAL4 cert, it STILL doesn't get them in the game without adding on a (typically) expensive FIPS 140-2 certified SSL component. My understanding is that RedHat understood this and bundled a certified solution with RHEL.
So will this announcement cause more enterprises to use SLES? Nope. They don't really care. Companies? Same boat. Governments? Only in those cases where SLES will exist entirely within a secure intranet or will piggyback on a generally closed-source 3rd party FIPS certified encryption system. SLES hasn't scored yet.
The other barrier is that for most potential government installs, there has to be CC certified software to run on it, unless it's just a network appliance. MySQL, Apache and all the rest would have to be CC certified to actually get a pure open source solution in the door.
The net effect is that this plays directly into the hands of the big software/hardware vendors and creates a barrier to entry for smaller players who would like to play in the federal space. Sure, SLES is certified, but with what? Oracle and IBM? Who's going to pay to get Apache2 certified for both Common Criteria and FIPS 140-2?? Or MySQL? Or PHP4? Look for more domination in the federal software market by the likes of Microsoft and Oracle, who will have even less incentive to create really good software because this somewhat meaningless certification process reduces competition and increases profitability for those who can invest in certifications.
Look at NMCI if you are doubtful. It hasn't helped the Navy improve it's IT infrastructure one bit, and made EDS nearly the sole vendor for all IT for the Navy. It's the gatekeeper of the NTISSP certification process, and everything it decides to approve has to be purchased through and managed by EDS. Certifications like this are simple money grabs by major Systems Integrators and muscular software companies.
Nothing to see here. Keep moving.
Well, the EAL4 certification is only just a bunch of paperwork. It certifies that the company who got it, did a lot of paperwork describing what the product does to be secure and _no_ check, in whatever kind, is made by the goverment to certify that the claims are indeed true. Also, the claims that need to be made are really trivial and almost all s/w vendors can claim conformity. There is no point comparing security of win2k and linux based on that cert...
Hmm.. What I don't understand is how ANY version of linux achieved EAL3 or better. One of the criteria is that the OS have strict design documentation and that the implementation meets that design documentation. My understanding of the Linux development is that it's very informal and has no real design documentation (other than what a given hacker may create for themselves).
I'm not saying that Linux doesn't deserve it, just that I don't understand how they were able to meet that criteria.
If you need web hosting, you could do worse than here
"There is no point comparing security of win2k and linux based on that cert... "
Here's the obvious point: If you are trying to SELL it it matters. Discussing it on slashdot and what it really means or does is one thing, getting some org or agency or corporation to drop x-millions of dollars in your lap for your product is another. One of the main complaints about Linux that you read over and over is "how do you make money with open source software"? Well, here's one way to make that a reality. Jump through the hoops they set up for consideration. No jumping, no consideration. Emphasizing skins and themes and whether or not you can play some video game and such like noise is cute,and seemingly a major part of most distros out there, but if you want to be taken seriously where the big dogs play with their checkbooks, you got to toe some of the lines they have drawn in the sand.
An evaluation process, that, if completed successfully, allows (mainly) government IT users to justify their usage of SLES for some roles more easily to auditors, and makes its use possible in others.
MS Windows 2000 has this cert. Exactly where is _all_ this MS documentation available to the public? Oh, that is right, it is not. So exactly why would "Linux" need to have this public documentation? "Linux" wasn't certified. A specific implementation of Linux, SuSE Linux Enterprise Server 9, was awarded this certification level. Novell put in the effort needed to achieve this certification, including proper documentation.
The Linux kernel is Open Source, as well as most/all of the GNU code base forming the complete OS. I can go out and build my own Linux distro (which I have done for personal use based on LFS). However, that doesn't mean that _my_ version of GNU/Linux is EAL4 certified. If you read the articles or even the simple summary, you should have clearly understood that currently, the only version of Linux to be EAL4 certified is, SuSE Linux Enterprise Server 9.
If Tyranny and Oppression come to this land,
it will be in the guise of fighting a foreign enemy. -James Madison
It's really a _lot_ of paperwork and I'm sure that MS got that cert everywhere it really matters. As for linux, seeing distros get that cert means that they have certain hopes to see linux in some places that require EAL4. Nothing more.
"I'm sure Gates would have like to have been able to say , "Hey, XP's EAL4 certified by the US government" when asked about MS's commitment to security and stability recently."
I'm sure Bill can say better and lower priced nonsense than that.
so the OS did what it was supposed to.
Can I get some of what you're smoking? Since when is an OS supposed to crash hard just because a single application couldn't handle a divide-by-zero?
Assorted stuff I do sometimes: Lemuria.org