Slashdot Log In
SUSE Awarded EAL4 Certification
Posted by
timothy
on Sun Feb 20, 2005 01:19 PM
from the lockup dept.
from the lockup dept.
An anonymous reader writes "Following in the wake of its previous certifications, Novell's SUSE Linux Enterprise Server 9 has achieved EAL4 certification on 'an IBM eServer.' This puts SLES9 in the same league as Windows 2000 for sales in the government sector and is the first Linux distro to achieve an EAL4 certification."
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Same League as Windows 2000..... (Score:5, Funny)
Re:Same League as Windows 2000..... (Score:5, Insightful)
I'm not saying that Linux doesn't deserve it, just that I don't understand how they were able to meet that criteria.
Parent
Re:Same League as Windows 2000..... (Score:5, Informative)
The certification doesn't require documenting all the code.... it's more about overall system design,the security model, user authentication, etc.
Parent
Re:Same League as Windows 2000..... (Score:2)
Re:Same League as Windows 2000..... (Score:3, Funny)
Re:Same League as Windows 2000..... (Score:4, Insightful)
MS Windows 2000 has this cert. Exactly where is _all_ this MS documentation available to the public? Oh, that is right, it is not. So exactly why would "Linux" need to have this public documentation? "Linux" wasn't certified. A specific implementation of Linux, SuSE Linux Enterprise Server 9, was awarded this certification level. Novell put in the effort needed to achieve this certification, including proper documentation.
The Linux kernel is Open Source, as well as most/all of the GNU code base forming the complete OS. I can go out and build my own Linux distro (which I have done for personal use based on LFS). However, that doesn't mean that _my_ version of GNU/Linux is EAL4 certified. If you read the articles or even the simple summary, you should have clearly understood that currently, the only version of Linux to be EAL4 certified is, SuSE Linux Enterprise Server 9.
Parent
Re:Same League as Windows 2000..... (Score:3, Interesting)
There are no restrictions on the development process. The point is that it gets validated as a finished item, so it doesn't matter how it got that way. It also doesn't matter who writes the documents, so long as they have the necessary information.
It will be interesting to see when SuSE does with the documents which were part of the process. It would als
RHEL 4 - EAL4+ coming (Score:5, Insightful)
Re:RHEL 4 - EAL4+ coming (Score:5, Insightful)
The biggest issue I have seen with CC is more in the understanding, or lack there of, of what is covered in a CC eval on both consumers and vendors. Vendors obviously promte the CC eval because it is expensive and has a certain cache. Users tend to glaze over reading the certification docs and most often don't make it very far before checking whatever check box they need.
Parent
Wasn't there .... (Score:4, Funny)
I think the MS has improved on that with 2k, etc. , but I'm not sure.
Parent
Re:Wasn't there .... (Score:5, Funny)
"Windows NT's Security Certification means that firewalls are optional" -- actual bullshit advice from a microsoft document in the mid-90s.
Parent
Re:Wasn't there .... (Score:2, Funny)
I actually think most of this was the old "poking fun at Microsoft", tho. I mean, if that was the case, I doubt it would get certified.
On the other hand, I never had much respect for those rainbow certifications.
That is true (Score:3, Informative)
After you were done doing this, of course, NT 3.5 was only useful as a kiosk. Most applications that would benefit from C2 certification in the past were 'stovepipes' that don't interact with other applications, so this was okay.
This isn't poking fun at MS [microsoft.com]. This is how it got certified. Then, they
Re:That is true (Score:3, Informative)
No removable midia = no backup
It depends on what you describe as a joke.
It allows the marketing 'droids to say things like 'We took a C2 certified system, added a ZIP drive and 3COM ethernet card, and voila one of the most usable, secure systems you could hope for.' (then hold their breath and hope that the carefully balanced shoe doesn't drop).
It's not fraud if you honestly (if misleadingly) document what you're doing.
Re:Wasn't there .... (Score:2, Informative)
Re:RHEL 4 - EAL4+ coming (Score:5, Insightful)
It's really a matter of money and time.
That's exactly what it is... which is yet another facet of the differences between Novell and Red Hat. Novell has the money to apply their resources across a much broader spectrum than Red Hat - just by virtue of having more money. Also, they have much more staff on the payroll - and by extension, more time (read: manhours).
Initially, there were a lot of concerns when Novell acquired SuSE around their committment to Free Software. But they have repeatedly (YaST, SuSE Linux Open Exchange, FreeSWAN, Hula, etc.) shown that they are committed to the philosophy of Free Software - not just buying the technology to close it up, and make money from selling something proprietary. So, those concerns have been put to bed, it makes Novell/SuSE a very attractive Linux option. They have the resources, relationships, and talent to work quickly and effectively - developing solid, certified, and feature-rich open software.
Please don't mistake this comment as Red Hat bashing. I am simply pointing out that Novell has the resources to really make a difference in the US Linux market - and things like achieving EAL4 (so quickly) prove that.
Parent
From one of the engineers... (Score:5, Informative)
Disclaimer: I work for the IBM Linux Technology Center; any comments I make are entirely my own.
It's really a matter of money and time.
And blood, sweat, and tears. You're talking to a guy who spent countless hours drafting hundreds of pages of low-level design documentation on the Linux kernel and set of trusted userspace applications in order to help satisfy the CAPP/EAL4 requirements. True, IBM paid me to do it, but the effort is far from trivial, and Linux's reputation gets a nice bolster when things like security certification happen.
Back when my team achieved CAPP/EAL3 certification, the general attitude on Slashdot was, ``Great, but wake me up when we get EAL4.'' Well, now we've got EAL4. We have a secure protection profile ironed out, documented, and deployed, which helps immensely with setting up a locked down Linux box. We have engineers who have been given the job to review thousands of lines of source code and to write and run a battery of tests to verify that Linux kernels and applications really do, from a security standpoint, just what they claim to do, and they do it right. But I think, more than anything, that this is a strong indication of Linux's maturity. For the public sector, this satisfies a core requirement of many contracts. For the private sector, this is one more thing to impress the boss when advocating Linux solutions.
Parent
IBM Effort + Novell/SuSE Processes (Score:4, Informative)
But Novell/SuSE also deserves credit for running a top-notch configuration management system (Autobuild), having controls and procedures for keeping track of where which patches that get incorporated come from, and for having a patch notification and publication process that enables customers to get timely notification of necessary patches.
The business processes surrounding manufacturing the distribution and supporting customers on a global basis are valuable Novell/SuSE contributions.
Disclaimer: I work for Novell and work with the folks at SuSE on a daily basis.
Parent
Certs/ (Score:4, Insightful)
We should remember, for non-technical people (i.e.: most of the government) this is all they have to judge tehcnical suitability for the job. And like the beauracrats they are, they adhere pretty strictly to these things.
So yes, it is a big deal that a major distro's broken through some of the red tape.
pSeries or xSeries? (Score:2, Interesting)
Maybe I missed it in the article, but I am curious if it was on a pSeries or xSeries. SLES9 on a pSeries box is a damn good combination. On the xSeries, it's o.k. but you do not have the peace of mind you get with the pSeries hardware.
I feel a little more confident in our military using that than MS windows on cheap beige boxes.Re:pSeries or xSeries? (Score:3, Interesting)
When the config earned EAL2+, it was on xSeries, but according to this [ibm.com], they earned EAL3+ on *all* platforms. I did a little digging but couldn't find if the same applies to this certification. I know it doesn't answer your question, but it may keep your hopes up to dig some more. As an IBM consultant doing Linux on x, p, and z.. I say "cool!"
Well, not quite (Score:2)
Re:Well, not quite (Score:2, Informative)
Microsoft and Linux Denial (Score:5, Insightful)
Well I guess it means times have changed. Linux is a big player in the game now and Microsoft needs to realize this and stop denying. False statements hurt worse than the bitter truth of "your product isn't good enough". I rather trust a company and have something that works okay and secure than some company that hides facts and has a better product in some ways, just not security.
It is funny how someone came out with a report saying windows is more secure, but is that based off the experimental code or source and which distribution. Novell and SuSE have always taken security as a priority and it shows.
Re:Microsoft and Linux Denial (Score:4, Informative)
Parent
Re:Microsoft and Linux Denial (Score:3, Insightful)
People tend to like things that are tried and true and are known to run solid.. Or with small incremental changes, done carefully.
The problem with XP is two-fold.. first.. it (the "jump" to XP) was just that, a jump, that wasnt all that carefully considered beforehand (MS just figured that most people would go with it, because after all, it IS the latest and greatest).
Second, MS marketing actually shot them in the foot here. They marketed this as the "hot new thing", "new and
Re:Microsoft and Linux Denial (Score:4, Interesting)
The only thing I would add is that this applies all across the board. Home users and corporate office users are in the same boat: they often have no interesting in "upgrading" to get more whiz-bang because they don't need it and don't want the headaches. That's the essentially conservative attitude that the bulk of users have, because any significant change means they may have to spend time and money they don't have to learn something new, deal with problems that weren't there before, and may find their shiny new OS and apps interfering with getting their jobs done. Microsoft's feature-oriented marketing and forced upgrade cycles have probably caused more lost man-hours than the common cold.
Parent
Re:Microsoft and Linux Denial (Score:2, Insightful)
well, there's one... (Score:3, Insightful)
Here's the obvious point: If you are trying to SELL it it matters. Discussing it on slashdot and what it really means or does is one thing, getting some org or agency or corporation to drop x-millions of dollars in your lap for your product is another. One of the main complaints about Linux that you read over and over is "how do you make money with open source software"? Well, here's one way to make that a reality. Jump through
Re:Microsoft and Linux Denial (Score:3, Insightful)
It's really a _lot_ of paperwork and I'm sure that MS got that cert everywhere it really matters. As for linux, seeing distros get that cert means that they have certain hopes to see linux in some places that require EAL4. Nothing more.
"I'm sure Gates would have like to have been able to say , "Hey, XP's EAL4 certified by the US government" when asked about MS's
I saw this coming. (Score:2)
I saw Redhat blink so I took the Suse path.
No regrets...
SuSE is a good way to go (Score:2)
I put all my efforts and support in Suse about 2 years ago and all my eggs in the Linux basket (in general) about 4 years ago.
I did the same thing. There's been a few warts (configuring Samba, some graphics issues which weren't well documented) but it's generally been good. SuSE is pretty easy to work with, reasonably polished. They could do a better job keeping up with some of the big name open source software like Mozilla through the official update channels (they're usually a few versions behind) bu
Re:SuSE is a good way to go (Score:3, Interesting)
The trouble is that Adaptec seems to think that doing RAID-1 in the device driver is somehow a good idea and worthy to be very secretive about. So they provide binary-only drivers for their card and it is 3 kernel versions behind.
Of course we need no Adaptec software RAID-1 as Linux has it in the kernel. After some searching and asking I found a patch that allowed the Adaptec controller to operate as a plain SCSI controller and from
Not suprised (Score:2)
Re:Not suprised (Score:2)
For FWIW, all the Federal networks I've worked on, I've seend damn few Novell servers. A lot of them used to run Novell, then migrated to Windows. I don't recall NetWare being on the EPL for the command I work for, so it might have already gone the way of the dodo.
Unsinkable (Score:2)
Re:Unsinkable (Score:5, Informative)
The US retired the Rainbow Series a while ago, but EAL4 is about a close approximation to C2.
Parent
Re:Unsinkable (Score:2)
Re:Unsinkable (Score:3, Insightful)
Can I get some of what you're smoking? Since when is an OS supposed to crash hard just because a single application couldn't handle a divide-by-zero?
SuSE Linux for Windows (Score:3, Informative)
Have fun !
Linux going for EAL5 (Score:4, Interesting)
BTW. There are Server and Embedded Linux version that has achieved Telecom Carrier Grade certification for reliablity. Microsoft won't try to get Telecom Carrier Grade certification for Windows because it is too unreliable.
Re:Is there hope? (Score:5, Informative)
Parent
Re:Is there hope? (Score:2)
Re:Is there hope? (Score:4, Informative)
Parent
Re:For the short attention span people (Score:4, Informative)
"The evaluation levels are ordered hierarchically in increments beginning from EAL1 to EAL7, with each level requiring a more advanced and intense means of testing. To date, EAL4 is the highest level certification awarded to any security product in the market."
Parent
Re:For the short attention span people (Score:4, Insightful)
Parent
Re:Im really bad at topics/subjects (Score:5, Insightful)
Just about every DoD or other federal government RFP these days requires that every part of the solution be CC EAL 3 or greater because of DoDD 8200.1 and other mandates. Without CC, you can't be considered, no matter how much better your solution is than the relatively limited menu of certified options.
The other half is FIPS 140-2, which covers data encryption. If you don't have FIPS 140-2 you can't play ball, and even then in some places like the U.S. Navy, there's another layer of certifications for NMCI and such. So however we might celebrate SLES EAL4 cert, it STILL doesn't get them in the game without adding on a (typically) expensive FIPS 140-2 certified SSL component. My understanding is that RedHat understood this and bundled a certified solution with RHEL.
So will this announcement cause more enterprises to use SLES? Nope. They don't really care. Companies? Same boat. Governments? Only in those cases where SLES will exist entirely within a secure intranet or will piggyback on a generally closed-source 3rd party FIPS certified encryption system. SLES hasn't scored yet.
The other barrier is that for most potential government installs, there has to be CC certified software to run on it, unless it's just a network appliance. MySQL, Apache and all the rest would have to be CC certified to actually get a pure open source solution in the door.
The net effect is that this plays directly into the hands of the big software/hardware vendors and creates a barrier to entry for smaller players who would like to play in the federal space. Sure, SLES is certified, but with what? Oracle and IBM? Who's going to pay to get Apache2 certified for both Common Criteria and FIPS 140-2?? Or MySQL? Or PHP4? Look for more domination in the federal software market by the likes of Microsoft and Oracle, who will have even less incentive to create really good software because this somewhat meaningless certification process reduces competition and increases profitability for those who can invest in certifications.
Look at NMCI if you are doubtful. It hasn't helped the Navy improve it's IT infrastructure one bit, and made EDS nearly the sole vendor for all IT for the Navy. It's the gatekeeper of the NTISSP certification process, and everything it decides to approve has to be purchased through and managed by EDS. Certifications like this are simple money grabs by major Systems Integrators and muscular software companies.
Nothing to see here. Keep moving.
Parent
Re:Im really bad at topics/subjects (Score:3, Funny)
NMCI was an utter, unmitigated, expensive disaster (Score:3, Informative)
Security? That thing has more holes than swiss cheese! All applications are run on a single box, with clients connecting via Citrix. That box is typically Windows. Windows doesn't have Orange Book B-grade compartmentalization. This means that if you wer
Re:Well now (Score:2)