SUSE Awarded EAL4 Certification 160
An anonymous reader writes "Following in the wake of its previous certifications, Novell's SUSE Linux Enterprise Server 9 has achieved EAL4 certification on 'an IBM eServer.' This puts SLES9 in the same league as Windows 2000 for sales in the government sector and is the first Linux distro to achieve an EAL4 certification."
Same League as Windows 2000..... (Score:5, Funny)
Re:Same League as Windows 2000..... (Score:5, Insightful)
I'm not saying that Linux doesn't deserve it, just that I don't understand how they were able to meet that criteria.
Re:Same League as Windows 2000..... (Score:5, Informative)
The certification doesn't require documenting all the code.... it's more about overall system design,the security model, user authentication, etc.
Re:Same League as Windows 2000..... (Score:2)
Re:Same League as Windows 2000..... (Score:3, Funny)
Re:Same League as Windows 2000..... (Score:2, Interesting)
Re: "meeting design documentation": In my experience, in practice this often involves generating "design documentation" after the fact. Roughly speaking, this could be for example by following a process like this: write the code, comment the functions, run doxygen on it or something, print that out, and present it as the "design documentation". Voila, your implementation meets the 'design spec', congratulations.
Re:Same League as Windows 2000..... (Score:2)
Re:Same League as Windows 2000..... (Score:2)
Re:Same League as Windows 2000..... (Score:4, Insightful)
MS Windows 2000 has this cert. Exactly where is _all_ this MS documentation available to the public? Oh, that is right, it is not. So exactly why would "Linux" need to have this public documentation? "Linux" wasn't certified. A specific implementation of Linux, SuSE Linux Enterprise Server 9, was awarded this certification level. Novell put in the effort needed to achieve this certification, including proper documentation.
The Linux kernel is Open Source, as well as most/all of the GNU code base forming the complete OS. I can go out and build my own Linux distro (which I have done for personal use based on LFS). However, that doesn't mean that _my_ version of GNU/Linux is EAL4 certified. If you read the articles or even the simple summary, you should have clearly understood that currently, the only version of Linux to be EAL4 certified is, SuSE Linux Enterprise Server 9.
Re:Same League as Windows 2000..... (Score:2)
I also did not suggest that Novell didn't put effort into the documentation. I said, I didn't understand how any Linux distro could meet design documentation that very likely didn't exist when the software was being designed.
I wouldn't think (and I could be wrong), that generating design documentation after the fact is evidence of proper design (which is what the EAL is trying to ver
Re:Same League as Windows 2000..... (Score:3, Interesting)
There are no restrictions on the development process. The point is that it gets validated as a finished item, so it doesn't matter how it got that way. It also doesn't matter who writes the documents, so long as they have the necessary information.
It will be interesting to see when SuSE does with the documents which were part of the process. It would als
Re:Same League as Windows 2000..... (Score:2)
It's when you get into extreme levels of trust that the design needs to be a little better documented. I don't believe the Common Criteria has anything that goes as high as the Orange Book's B3 or A1 certifications, but IIRC those did require a level of proof that the code was correctly implemented, not merely that the mechanisms were all present and apparently funcioning.
Re:Same League as Windows 2000..... (Score:2)
If higher EAL levels were well defined, it might actually be easier for Linux to achieve them, because it would simply be a matter of writing out how Linux security is supposed to work, and then checking that no transition from an allowed state to a disallowed state can happen. I
Re:Same League as Windows 2000..... (Score:2)
"EAL2 level is more detailed because it includes the high-level design and detail specifications of the target of evaluation. This level and its latter counterparts require developer testing and a vulnerability analysis. EAL3 analysis expands the testing coverage of the security functions and mechanisms and offers added security measures by ensuring that the target of evaluation is not tampere
Re:Same League as Windows 2000..... (Score:2)
The Linux kernel could never get an EAL rating as it is developed by Linus et al, but that doesn't mean that a proces
Re:Same League as Windows 2000..... (Score:2)
I think you misspelled "produced with as much paperwork as Windows 2000"
RHEL 4 - EAL4+ coming (Score:5, Insightful)
Re:RHEL 4 - EAL4+ coming (Score:5, Insightful)
The biggest issue I have seen with CC is more in the understanding, or lack there of, of what is covered in a CC eval on both consumers and vendors. Vendors obviously promte the CC eval because it is expensive and has a certain cache. Users tend to glaze over reading the certification docs and most often don't make it very far before checking whatever check box they need.
Re:RHEL 4 - EAL4+ coming (Score:1, Informative)
it is expensive and has a certain cache
It's cachet, not cache. Cache is storage; cachet is that certain attraction.
Cache is pronounced "cash" cachet is "cashay".
Get it right, people!
Wasn't there .... (Score:4, Funny)
I think the MS has improved on that with 2k, etc. , but I'm not sure.
Re:Wasn't there .... (Score:5, Funny)
"Windows NT's Security Certification means that firewalls are optional" -- actual bullshit advice from a microsoft document in the mid-90s.
Re:Wasn't there .... (Score:2, Funny)
I actually think most of this was the old "poking fun at Microsoft", tho. I mean, if that was the case, I doubt it would get certified.
On the other hand, I never had much respect for those rainbow certifications.
Re:Wasn't there .... (Score:1)
C2 is a security specification for standalone, non-networked, non-distributed computing environments.
Re: (Score:3, Informative)
Re:That is true (Score:1)
No removable midia = no backup
How trustworthy is that ?
And I really don't recall (I might be wrong) HP/UX requiring the removal of the floppy drive to be certified C2.
Re:That is true (Score:3, Informative)
No removable midia = no backup
It depends on what you describe as a joke.
It allows the marketing 'droids to say things like 'We took a C2 certified system, added a ZIP drive and 3COM ethernet card, and voila one of the most usable, secure systems you could hope for.' (then hold their breath and hope that the carefully balanced shoe doesn't drop).
It's not fraud if you honestly (if misleadingly) document what you're doing.
Re: (Score:2)
Re:Wasn't there .... (Score:2, Informative)
Re:Wasn't there .... (Score:2)
Granted, the number of uses for such a machine is probably fairly small, but they do exist. Many networks have an entire server that's never connected to any netw
Re:RHEL 4 - EAL4+ coming (Score:5, Insightful)
It's really a matter of money and time.
That's exactly what it is... which is yet another facet of the differences between Novell and Red Hat. Novell has the money to apply their resources across a much broader spectrum than Red Hat - just by virtue of having more money. Also, they have much more staff on the payroll - and by extension, more time (read: manhours).
Initially, there were a lot of concerns when Novell acquired SuSE around their committment to Free Software. But they have repeatedly (YaST, SuSE Linux Open Exchange, FreeSWAN, Hula, etc.) shown that they are committed to the philosophy of Free Software - not just buying the technology to close it up, and make money from selling something proprietary. So, those concerns have been put to bed, it makes Novell/SuSE a very attractive Linux option. They have the resources, relationships, and talent to work quickly and effectively - developing solid, certified, and feature-rich open software.
Please don't mistake this comment as Red Hat bashing. I am simply pointing out that Novell has the resources to really make a difference in the US Linux market - and things like achieving EAL4 (so quickly) prove that.
It was mostly IBM's effort (Score:2, Interesting)
That's exactly what it is... which is yet another facet of the differences between Novell and Red Hat. Novell has the money to apply their resources across a much broader spectrum than Red Hat - just by virtue of having more money. Also, they have much more staff on the payroll - and by extension, more time (read: manhours).
IBM paid for it. IBM's engineers did it. They do this kind of thing on behalf of the distro's it uses on its hardware. It has absolutely nothing to do with the resources of Novell
Re:RHEL 4 - EAL4+ coming (Score:2)
If it's Free Software [fsf.org] then they can't buy it up and make it proprietary because it's licensed under the GPL! I'm not saying that Novell isn't doing good st
Re:RHEL 4 - EAL4+ coming (Score:2)
SuSE, FreeS/Wan etc all existed as GPL'ed and LGPL'ed projects prior to the acquisition by Novell, so I don't see how you can give Novell credit for abiding by the terms of the copyright? Yes, Novell are great, SuSE is great, but what I'm happier about is going to be the release of new GPL'ed material.
From one of the engineers... (Score:5, Informative)
Disclaimer: I work for the IBM Linux Technology Center; any comments I make are entirely my own.
It's really a matter of money and time.
And blood, sweat, and tears. You're talking to a guy who spent countless hours drafting hundreds of pages of low-level design documentation on the Linux kernel and set of trusted userspace applications in order to help satisfy the CAPP/EAL4 requirements. True, IBM paid me to do it, but the effort is far from trivial, and Linux's reputation gets a nice bolster when things like security certification happen.
Back when my team achieved CAPP/EAL3 certification, the general attitude on Slashdot was, ``Great, but wake me up when we get EAL4.'' Well, now we've got EAL4. We have a secure protection profile ironed out, documented, and deployed, which helps immensely with setting up a locked down Linux box. We have engineers who have been given the job to review thousands of lines of source code and to write and run a battery of tests to verify that Linux kernels and applications really do, from a security standpoint, just what they claim to do, and they do it right. But I think, more than anything, that this is a strong indication of Linux's maturity. For the public sector, this satisfies a core requirement of many contracts. For the private sector, this is one more thing to impress the boss when advocating Linux solutions.
Re:From one of the engineers... (Score:2)
My heartfelt thanks. (Score:2)
If I could give you a hug, I would.
Re:From one of the engineers... (Score:2)
We have a secure protection profile ironed out, documented, and deployed
Can you provide a reference to the profile? Or even just a very high level, one- or two-sentence description?
I know the Win2K PP, for example, assumed that the machine was not connected to a network. Was network access part of the SuSE PP?
Re:From one of the engineers... (Score:2)
And my eternal gratitude. Realize that many of the trolls here have at best a vague guess of what exactly EAL4 is.
EAL4 is a ton of work, documentation probably being the worst part. In fact, given the nature of the kernel alone I wasn't even sure you could do it.
IBM Effort + Novell/SuSE Processes (Score:4, Informative)
But Novell/SuSE also deserves credit for running a top-notch configuration management system (Autobuild), having controls and procedures for keeping track of where which patches that get incorporated come from, and for having a patch notification and publication process that enables customers to get timely notification of necessary patches.
The business processes surrounding manufacturing the distribution and supporting customers on a global basis are valuable Novell/SuSE contributions.
Disclaimer: I work for Novell and work with the folks at SuSE on a daily basis.
Im really bad at topics/subjects (Score:1, Redundant)
Re:Im really bad at topics/subjects (Score:5, Insightful)
Just about every DoD or other federal government RFP these days requires that every part of the solution be CC EAL 3 or greater because of DoDD 8200.1 and other mandates. Without CC, you can't be considered, no matter how much better your solution is than the relatively limited menu of certified options.
The other half is FIPS 140-2, which covers data encryption. If you don't have FIPS 140-2 you can't play ball, and even then in some places like the U.S. Navy, there's another layer of certifications for NMCI and such. So however we might celebrate SLES EAL4 cert, it STILL doesn't get them in the game without adding on a (typically) expensive FIPS 140-2 certified SSL component. My understanding is that RedHat understood this and bundled a certified solution with RHEL.
So will this announcement cause more enterprises to use SLES? Nope. They don't really care. Companies? Same boat. Governments? Only in those cases where SLES will exist entirely within a secure intranet or will piggyback on a generally closed-source 3rd party FIPS certified encryption system. SLES hasn't scored yet.
The other barrier is that for most potential government installs, there has to be CC certified software to run on it, unless it's just a network appliance. MySQL, Apache and all the rest would have to be CC certified to actually get a pure open source solution in the door.
The net effect is that this plays directly into the hands of the big software/hardware vendors and creates a barrier to entry for smaller players who would like to play in the federal space. Sure, SLES is certified, but with what? Oracle and IBM? Who's going to pay to get Apache2 certified for both Common Criteria and FIPS 140-2?? Or MySQL? Or PHP4? Look for more domination in the federal software market by the likes of Microsoft and Oracle, who will have even less incentive to create really good software because this somewhat meaningless certification process reduces competition and increases profitability for those who can invest in certifications.
Look at NMCI if you are doubtful. It hasn't helped the Navy improve it's IT infrastructure one bit, and made EDS nearly the sole vendor for all IT for the Navy. It's the gatekeeper of the NTISSP certification process, and everything it decides to approve has to be purchased through and managed by EDS. Certifications like this are simple money grabs by major Systems Integrators and muscular software companies.
Nothing to see here. Keep moving.
Re:Im really bad at topics/subjects (Score:1)
This is the same EDS that keeps screwing up [theregister.co.uk] all those important govenment systems [publictechnology.net]? The EDS that managed to take down 60,000 PCs [theregister.co.uk]? They let that EDS run military systems?
Re:Im really bad at topics/subjects (Score:2, Informative)
FIPS is a compliance level for encryption, and seeing as that it isn't hard to add this ability to applications, I'm not seeing th
Re:Im really bad at topics/subjects (Score:2)
NMCI has been a major pain in the butt for us. NAVSUP wants to do more handheld work, and all that is available on CLIN 23 is ancient, non-Wifi crud or Blackber
Re:Im really bad at topics/subjects (Score:2)
So however we might celebrate SLES EAL4 cert, it STILL doesn't get them in the game without adding on a (typically) expensive FIPS 140-2 certified SSL component. My understanding is that RedHat understood this and bundled a certified solution with RHEL.
I've wondered about that after seeing some posts about it earlier.
Are the hurdles preventing something like OpenSSL or GnuTLS from receiving FIPS certification mainly technical, or financial?
Re:Im really bad at topics/subjects (Score:3, Funny)
Re:Im really bad at topics/subjects (Score:2)
NMCI was an utter, unmitigated, expensive disaster (Score:3, Informative)
Security? That thing has more holes than swiss cheese! All applications are run on a single box, with clients connecting via Citrix. That box is typically Windows. Windows doesn't have Orange Book B-grade compartmentalization. This means that if you wer
Certs/ (Score:4, Insightful)
We should remember, for non-technical people (i.e.: most of the government) this is all they have to judge tehcnical suitability for the job. And like the beauracrats they are, they adhere pretty strictly to these things.
So yes, it is a big deal that a major distro's broken through some of the red tape.
Re:Certs/ (Score:1)
Having said that, I will note that this evaluation was to an actual protection profile (the CAPP [nist.gov]), so the evaluation means something, unlike some [bsi.bund.de] other [cesg.gov.uk] evaluations [bsi.bund.de] that I could mention.
pSeries or xSeries? (Score:2, Interesting)
Maybe I missed it in the article, but I am curious if it was on a pSeries or xSeries. SLES9 on a pSeries box is a damn good combination. On the xSeries, it's o.k. but you do not have the peace of mind you get with the pSeries hardware.
I feel a little more confident in our military using that than MS windows on cheap beige boxes.Re:pSeries or xSeries? (Score:3, Interesting)
When the config earned EAL2+, it was on xSeries, but according to this [ibm.com], they earned EAL3+ on *all* platforms. I did a little digging but couldn't find if the same applies to this certification. I know it doesn't answer your question, but it may keep your hopes up to dig some more. As an IBM consultant doing Linux on x, p, and z.. I say "cool!"
Well, not quite (Score:2)
Re:Well, not quite (Score:2, Informative)
Microsoft and Linux Denial (Score:5, Insightful)
Well I guess it means times have changed. Linux is a big player in the game now and Microsoft needs to realize this and stop denying. False statements hurt worse than the bitter truth of "your product isn't good enough". I rather trust a company and have something that works okay and secure than some company that hides facts and has a better product in some ways, just not security.
It is funny how someone came out with a report saying windows is more secure, but is that based off the experimental code or source and which distribution. Novell and SuSE have always taken security as a priority and it shows.
Re:Microsoft and Linux Denial (Score:4, Informative)
Re:Microsoft and Linux Denial (Score:3, Insightful)
People tend to like things that are tried and true and are known to run solid.. Or with small incremental changes, done carefully.
The problem with XP is two-fold.. first.. it (the "jump" to XP) was just that, a jump, that wasnt all that carefully considered beforehand (MS just figured that most people would go with it, because after all, it IS the latest and greatest).
Second, MS marketing actually shot them in the foot here. They marketed this as the "hot new thing", "new and
Re:Microsoft and Linux Denial (Score:4, Interesting)
The only thing I would add is that this applies all across the board. Home users and corporate office users are in the same boat: they often have no interesting in "upgrading" to get more whiz-bang because they don't need it and don't want the headaches. That's the essentially conservative attitude that the bulk of users have, because any significant change means they may have to spend time and money they don't have to learn something new, deal with problems that weren't there before, and may find their shiny new OS and apps interfering with getting their jobs done. Microsoft's feature-oriented marketing and forced upgrade cycles have probably caused more lost man-hours than the common cold.
Re:Microsoft and Linux Denial (Score:2, Insightful)
well, there's one... (Score:3, Insightful)
Here's the obvious point: If you are trying to SELL it it matters. Discussing it on slashdot and what it really means or does is one thing, getting some org or agency or corporation to drop x-millions of dollars in your lap for your product is another. One of the main complaints about Linux that you read over and over is "how do you make money with open source software"? Well, here's one way to make that a reality. Jump through
Re:Microsoft and Linux Denial (Score:2)
If it were easy to do and almost all major vendors could claim complience then why wouldn't MS make sure that XP was certified. They made a big deal about Win2000 certification when they got it. It's cheap marketing for MS and fuel for their FUD engine, which they know they need to keep fed. I doubt that MS simply doesn't care about certification or couldn't put enough resourc
Re:Microsoft and Linux Denial (Score:3, Insightful)
It's really a _lot_ of paperwork and I'm sure that MS got that cert everywhere it really matters. As for linux, seeing distros get that cert means that they have certain hopes to see linux in some places that require EAL4. Nothing more.
"I'm sure Gates would have like to have been able to say , "Hey, XP's EAL4 certified by the US government" when asked about MS's
Re:Microsoft and Linux Denial (Score:2)
IIRC, EAL is based on a specific version of the operating system, running on specific hardware. It's relatively pointless (IMO) to certify a desktop operating system which can run on a myriad of hardware - or you would certify, but only on a very limited range of hardware. It probably means relatively little.
Well now (Score:1, Insightful)
Re:Well now (Score:2)
Re:Well now (Score:2)
I saw this coming. (Score:2)
I saw Redhat blink so I took the Suse path.
No regrets...
SuSE is a good way to go (Score:2)
I put all my efforts and support in Suse about 2 years ago and all my eggs in the Linux basket (in general) about 4 years ago.
I did the same thing. There's been a few warts (configuring Samba, some graphics issues which weren't well documented) but it's generally been good. SuSE is pretty easy to work with, reasonably polished. They could do a better job keeping up with some of the big name open source software like Mozilla through the official update channels (they're usually a few versions behind) bu
Re:SuSE is a good way to go (Score:3, Interesting)
The trouble is that Adaptec seems to think that doing RAID-1 in the device driver is somehow a good idea and worthy to be very secretive about. So they provide binary-only drivers for their card and it is 3 kernel versions behind.
Of course we need no Adaptec software RAID-1 as Linux has it in the kernel. After some searching and asking I found a patch that allowed the Adaptec controller to operate as a plain SCSI controller and from
Is there hope? (Score:1)
Re:Is there hope? (Score:5, Informative)
Re:Is there hope? (Score:1)
Re:Is there hope? (Score:2)
Re:Is there hope? (Score:4, Informative)
Re:Is there hope? (Score:2)
Just because some people are doing it doesn't mean that it's OK.
Re:DISA may not care... (Score:2)
All of my experiences with DISA showed me that they're not too forgiving for wandering far past the boundries.
Re:Is there hope? (Score:2)
red is evil. (Score:1, Interesting)
Not suprised (Score:2)
Re:Not suprised (Score:2)
For FWIW, all the Federal networks I've worked on, I've seend damn few Novell servers. A lot of them used to run Novell, then migrated to Windows. I don't recall NetWare being on the EPL for the command I work for, so it might have already gone the way of the dodo.
Re:Not suprised (Score:2)
Unsinkable (Score:2)
Re:Unsinkable (Score:5, Informative)
The US retired the Rainbow Series a while ago, but EAL4 is about a close approximation to C2.
Re:Unsinkable (Score:2)
Re:Unsinkable (Score:2)
Re:Unsinkable (Score:2)
Re:Unsinkable (Score:2)
Re:Unsinkable (Score:2)
(when are they going to fix that, by the way?)
Re:Unsinkable (Score:2)
They rebooted the workstations, reconnected the control app, and steamed back into port. I guarantee that if the scuttlebutt was true, there were more than a few asses chewed over that one. The Navy prefers redundant systems in case, you know, so
Re:Unsinkable (Score:3, Insightful)
Can I get some of what you're smoking? Since when is an OS supposed to crash hard just because a single application couldn't handle a divide-by-zero?
Re:Unsinkable (Score:1)
No, when battleships were in use they had analog mechanical fire control computers the size of washing machines. The "software" was a bunch of gyros, gears and cams.
SuSE Linux for Windows (Score:3, Informative)
Have fun !
Linux going for EAL5 (Score:4, Interesting)
BTW. There are Server and Embedded Linux version that has achieved Telecom Carrier Grade certification for reliablity. Microsoft won't try to get Telecom Carrier Grade certification for Windows because it is too unreliable.
MonteVista Carrier Grade Linux (Score:2)
They also make a version targetted for embedded/settop uses.
Where can I find the Windows 2000 certification? (Score:2)
= Ch =
Re:For the short attention span people (Score:4, Informative)
"The evaluation levels are ordered hierarchically in increments beginning from EAL1 to EAL7, with each level requiring a more advanced and intense means of testing. To date, EAL4 is the highest level certification awarded to any security product in the market."
Re:For the short attention span people (Score:2)
Re:For the short attention span people (Score:2)
There's a big difference between smart cards and an entire OS. A smart card carries data and the means to encrypt/decrypt it. An OS makes the entire box work the way it's designed to (theoretically, anyway).
Maybe gaining EAL4 doesn't open the floodgates. But it certainly puts a foot in the door.
Re:For the short attention span people (Score:2)
That's what I said, unless you call a machine + os not an entire system that is. More certification is probably better, though I seriously doubt that this will mean that there are less chance of errors. For that, a new system is needed, e.g.
Re:For the short attention span people (Score:4, Insightful)