Slashdot Mirror

← Back to Stories (view on slashdot.org)

SUSE Awarded EAL4 Certification

Posted by timothy on from the lockup dept.

An anonymous reader writes "Following in the wake of its previous certifications, Novell's SUSE Linux Enterprise Server 9 has achieved EAL4 certification on 'an IBM eServer.' This puts SLES9 in the same league as Windows 2000 for sales in the government sector and is the first Linux distro to achieve an EAL4 certification."

15 of 160 comments (clear)

  1. Same League as Windows 2000..... by Anonymous Coward · · Score: 5, Funny

    .......oh fuck!

    1. Re:Same League as Windows 2000..... by man_of_mr_e · · Score: 4, Insightful

      Hmm.. What I don't understand is how ANY version of linux achieved EAL3 or better. One of the criteria is that the OS have strict design documentation and that the implementation meets that design documentation. My understanding of the Linux development is that it's very informal and has no real design documentation (other than what a given hacker may create for themselves).

      I'm not saying that Linux doesn't deserve it, just that I don't understand how they were able to meet that criteria.

      --
      If you need web hosting, you could do worse than here
    2. Re:Same League as Windows 2000..... by mindstrm · · Score: 5, Informative

      Linux didn't achieve it.. a specific distribution by SUSE did. The documentation and implmenetation designs are by suse.

      The certification doesn't require documenting all the code.... it's more about overall system design,the security model, user authentication, etc.

  2. RHEL 4 - EAL4+ coming by OffTheLip · · Score: 5, Insightful

    It's really a matter of money and time.

    1. Re:RHEL 4 - EAL4+ coming by hal9000(jr) · · Score: 5, Insightful

      Kinda. Provided there is a well designed and realistic Protection Profile and the Security Target is realisticaly designed, there is some value to the CC certification.

      The biggest issue I have seen with CC is more in the understanding, or lack there of, of what is covered in a CC eval on both consumers and vendors. Vendors obviously promte the CC eval because it is expensive and has a certain cache. Users tend to glaze over reading the certification docs and most often don't make it very far before checking whatever check box they need.

    2. Re:RHEL 4 - EAL4+ coming by soren42 · · Score: 5, Insightful


      It's really a matter of money and time.

      That's exactly what it is... which is yet another facet of the differences between Novell and Red Hat. Novell has the money to apply their resources across a much broader spectrum than Red Hat - just by virtue of having more money. Also, they have much more staff on the payroll - and by extension, more time (read: manhours).

      Initially, there were a lot of concerns when Novell acquired SuSE around their committment to Free Software. But they have repeatedly (YaST, SuSE Linux Open Exchange, FreeSWAN, Hula, etc.) shown that they are committed to the philosophy of Free Software - not just buying the technology to close it up, and make money from selling something proprietary. So, those concerns have been put to bed, it makes Novell/SuSE a very attractive Linux option. They have the resources, relationships, and talent to work quickly and effectively - developing solid, certified, and feature-rich open software.

      Please don't mistake this comment as Red Hat bashing. I am simply pointing out that Novell has the resources to really make a difference in the US Linux market - and things like achieving EAL4 (so quickly) prove that.

      --

      "Adventure? Excitement? A Jedi craves not these things."
  3. Microsoft and Linux Denial by CoolSilver · · Score: 5, Insightful

    Wow, I guess Mr. Gates and company must be biting their nails. 2000 has that certification yet XP, the best product with "advanced security technologies" has nothing.

    Well I guess it means times have changed. Linux is a big player in the game now and Microsoft needs to realize this and stop denying. False statements hurt worse than the bitter truth of "your product isn't good enough". I rather trust a company and have something that works okay and secure than some company that hides facts and has a better product in some ways, just not security.

    It is funny how someone came out with a report saying windows is more secure, but is that based off the experimental code or source and which distribution. Novell and SuSE have always taken security as a priority and it shows.

  4. Re:Is there hope? by TheCabal · · Score: 4, Informative

    Not likely to happen soon. Just because it's been EAL4 certified doesn't mean that is allowed to be operated on a Federal network. In the case of DoD network, it still needs a CTO (Certificate To Operate) before being allowed to be connected to the network. A CTO requires a whole DITSCAP session, formal documentation, evaluation and recommendation. For an operating system, it could literally be years before a CTO is produced. An interim CTO could be generated, but I don't think any major commands are willing to risk issuing one for such an unknown as this.

  5. Re:For the short attention span people by AwaxSlashdot · · Score: 4, Informative

    Copy/paste from the link under EAL4 :
    "The evaluation levels are ordered hierarchically in increments beginning from EAL1 to EAL7, with each level requiring a more advanced and intense means of testing. To date, EAL4 is the highest level certification awarded to any security product in the market."

    --
    Sig (appended to the end of comments you post, 120 chars)
  6. Re:Im really bad at topics/subjects by $ASANY · · Score: 4, Insightful

    This really only makes a difference in the federal sector here in the U.S., as commercial firms might be interested in CC, they understand that CC really doesn't mean a whole lot. For the federal sector, this is only one half of the whole ball of wax.

    Just about every DoD or other federal government RFP these days requires that every part of the solution be CC EAL 3 or greater because of DoDD 8200.1 and other mandates. Without CC, you can't be considered, no matter how much better your solution is than the relatively limited menu of certified options.

    The other half is FIPS 140-2, which covers data encryption. If you don't have FIPS 140-2 you can't play ball, and even then in some places like the U.S. Navy, there's another layer of certifications for NMCI and such. So however we might celebrate SLES EAL4 cert, it STILL doesn't get them in the game without adding on a (typically) expensive FIPS 140-2 certified SSL component. My understanding is that RedHat understood this and bundled a certified solution with RHEL.

    So will this announcement cause more enterprises to use SLES? Nope. They don't really care. Companies? Same boat. Governments? Only in those cases where SLES will exist entirely within a secure intranet or will piggyback on a generally closed-source 3rd party FIPS certified encryption system. SLES hasn't scored yet.

    The other barrier is that for most potential government installs, there has to be CC certified software to run on it, unless it's just a network appliance. MySQL, Apache and all the rest would have to be CC certified to actually get a pure open source solution in the door.

    The net effect is that this plays directly into the hands of the big software/hardware vendors and creates a barrier to entry for smaller players who would like to play in the federal space. Sure, SLES is certified, but with what? Oracle and IBM? Who's going to pay to get Apache2 certified for both Common Criteria and FIPS 140-2?? Or MySQL? Or PHP4? Look for more domination in the federal software market by the likes of Microsoft and Oracle, who will have even less incentive to create really good software because this somewhat meaningless certification process reduces competition and increases profitability for those who can invest in certifications.

    Look at NMCI if you are doubtful. It hasn't helped the Navy improve it's IT infrastructure one bit, and made EDS nearly the sole vendor for all IT for the Navy. It's the gatekeeper of the NTISSP certification process, and everything it decides to approve has to be purchased through and managed by EDS. Certifications like this are simple money grabs by major Systems Integrators and muscular software companies.

    Nothing to see here. Keep moving.

  7. Re:Wasn't there .... by Anonymous Coward · · Score: 5, Funny

    Yeah, its meanless except for a small class of government applications. Unfortunately, Microsoft drank their own koolaid and started marketing the certification as a general security feature.

    "Windows NT's Security Certification means that firewalls are optional" -- actual bullshit advice from a microsoft document in the mid-90s.

  8. Re:Unsinkable by TheCabal · · Score: 4, Informative

    There aren't any battleships currently in commission in the US Navy, all have been either scrapped or mothballed. You're probably thinking of the prototype cruiser that made all the headlines. It was running NT, bluescreened and the ship was stuck. Not that the bluescreen was not an OS error, but an error due to a divide by zero from the application, and it wasn't written well enough to handle that error nicely, so the OS did what it was supposed to. The ship was rushed anyway, and supposed to have Unix backends for all the C^2 functions. NT is just for the user workstations.

    The US retired the Rainbow Series a while ago, but EAL4 is about a close approximation to C2.

  9. Linux going for EAL5 by Anonymous Coward · · Score: 4, Interesting

    The French Ministry of Defense will put up 7 million over the next three years to fund an industrial consortium building a Linux-based operating system that can achieve EAL5 certification. The coalition includes Bertin Technologies, SURLOG, Jaluna, Mandrakesoft, and OPPIDA.

    BTW. There are Server and Embedded Linux version that has achieved Telecom Carrier Grade certification for reliablity. Microsoft won't try to get Telecom Carrier Grade certification for Windows because it is too unreliable.

  10. From one of the engineers... by omnirealm · · Score: 5, Informative

    Disclaimer: I work for the IBM Linux Technology Center; any comments I make are entirely my own.

    It's really a matter of money and time.

    And blood, sweat, and tears. You're talking to a guy who spent countless hours drafting hundreds of pages of low-level design documentation on the Linux kernel and set of trusted userspace applications in order to help satisfy the CAPP/EAL4 requirements. True, IBM paid me to do it, but the effort is far from trivial, and Linux's reputation gets a nice bolster when things like security certification happen.

    Back when my team achieved CAPP/EAL3 certification, the general attitude on Slashdot was, ``Great, but wake me up when we get EAL4.'' Well, now we've got EAL4. We have a secure protection profile ironed out, documented, and deployed, which helps immensely with setting up a locked down Linux box. We have engineers who have been given the job to review thousands of lines of source code and to write and run a battery of tests to verify that Linux kernels and applications really do, from a security standpoint, just what they claim to do, and they do it right. But I think, more than anything, that this is a strong indication of Linux's maturity. For the public sector, this satisfies a core requirement of many contracts. For the private sector, this is one more thing to impress the boss when advocating Linux solutions.

    --
    An unjust law is no law at all. - St. Augustine
  11. IBM Effort + Novell/SuSE Processes by eer · · Score: 4, Informative
    Other posts are correct - IBM made this happen through manpower and expenses, to create the documentation needed for so many open source projects (lacking design documentation, for the most part), and for underwriting the evaluation labs effort.

    But Novell/SuSE also deserves credit for running a top-notch configuration management system (Autobuild), having controls and procedures for keeping track of where which patches that get incorporated come from, and for having a patch notification and publication process that enables customers to get timely notification of necessary patches.

    The business processes surrounding manufacturing the distribution and supporting customers on a global basis are valuable Novell/SuSE contributions.

    Disclaimer: I work for Novell and work with the folks at SuSE on a daily basis.