Red Hat, Sun aim for security certification

 

Connecting state and local government leaders

In 2006, network administrators in high-security environments will have two new general-purpose operating systems to choose from.

In 2006, network administrators in high-security environments will have two new general-purpose operating systems to choose from. Both Sun Microsystems Solaris 10 and Red Hat Enterprise Linux 5 are undergoing Level 4 Common Criteria Evaluation Assurance. With those certifications in hand, vendors are planning to offer desktop OSes that operate across many security levels, eliminating the need to put multiple computers'one for each security level'on analysts' desks.But defense and intelligence organizations aren't the only ones with an eye on the Solaris and Red Hat proceedings. Even in less sensitive areas, Common Criteria can be a handy guide to how secure an operating system is.Or can it? Experts caution that Common Criteria evaluates OSes only for trusted environments.'We're assuming that you are not in an environment such as the Internet where you are exposed to millions of hackers,' said Helmut Kurth, chief scientist and lab director for Atsec Information Security of Austin, Texas. Atsec is evaluating RHEL on behalf of IBM Corp. 'If you want that, you would want to look for a higher assurance level.'The Common Criteria Evaluation and Validation Scheme, managed by the National Information Assurance Partnership, contains a collection of Protection Profiles, or a list of specifications of what a system should do in a given situation.Solaris 10 is currently being evaluated against two profiles'the Controlled Access Protection Profile and the Role-Based Access Control Protection Profile.The Controlled Access Protection Profile assures that OS access controls enforce limitations on the actions that users and data objects can perform on a system. It also evaluates the audit capabilities of security-relevant events.The Role-Based Access Control Protection Profile describes how the software handles the roles or rights applied to a group of users, such as database administrators.Sun submitted Solaris 10 for Common Criteria testing in part because it plans to phase out its Trusted Solaris secure operating system, said Mark Thacker, product line manager of Solaris security. Long used by agencies with classified and sensitive data networks, the current version of Trusted Solaris, Version 8, has been certified to Common Criteria Evaluation Assurance Level 4 for the two profiles Solaris 10 is being tested for. Trusted Solaris is also certified against a third profile, the Labeled Security Protection Profile.Labeled security applies a tag to each data file identifying an appropriate security level. The labels allow the operating system to handle data with appropriate controls, eliminating the need for the multiple computers of varying security levels.To cover the functionality in the third profile, Sun plans to introduce a software add-on called Solaris Trusted Extensions, which will also undergo Common Criteria evaluation. Solaris Trusted Extensions will offer a set of labels that map directly to sensitivity levels in organizations such as the National Security Agency and the Central Intelligence Agency.Pending the results of Sun's evaluations, customers who would have bought Trusted Solaris in the past will now purchase the current version of Solaris along with the Solaris Trusted Extensions, Thacker said.The evaluation of Red Hat Enterprise Linux 5 is also part of a plan to replace Trusted Solaris in classified and sensitive environments, said Ed Hammersla, chief operating officer of Trusted Computer Solutions Inc. of Herndon, Va. Trusted Computer has developed some of the security extensions that were incorporated into RHEL 5.'This allows our traditional customer base to look at Linux as a viable alternative,' Hammersla said.Although earlier this year Red Hat submitted its Enterprise Linux for EAL 3, an EAL 4 certification would enable the company to offer the OS to secure environments, Hammersla said. RHEL includes Security-Enhanced Linux, a set of software controls to confine the actions of any process to a predetermined set of options.Agencies in general are increasingly relying on Common Criteria evaluations to judge the security of product purchases. The National Security Telecommunications and Information Systems Security Policy No. 11, for instance, mandates that agencies use Common Criteria-evaluated equipment and software for networks carrying sensitive information.Still, experts say administrators should not assume a Common Criteria rating means an OS is bulletproof. The Common Criteria Evaluation Assurance Level specifies a degree of confidence between 1 and 7, with 7 being the highest.EAL 4 ensures that the vendor has methodically designed, tested and reviewed the software, and that a party reviewing that software, such as Atsec, has done a basic review of the system itself. It does not, however, guarantee a full source code review.'An evaluation at Level 4 is not a guarantee that there won't be vulnerabilities,' Kurth said.One concern voiced about Common Criteria evaluation is that it does not take into consideration the networked environments most software operates in. Johns Hopkins as-sociate professor Jonathan Shapiro laid out this case in a paper he wrote about Microsoft Windows 2000's EAL 4 certification [read it at , GCN.com/502].Shapiro pointed out that the protection profiles were designed to judge software in nonhostile environments, or environments where no malicious software could infect the system. The criteria checklist assumes that hundreds of operating system services are shut off from day-to-day use. This is an unrealistic expectation, Shapiro said.To fully enjoy the secure features of a Common Criteria-related product, 'You can't hook it to the Internet, you can't run shrink-wrap software, and you will spend days turning off 'features' in the shipped product that break the security of the base system,' Shapiro told GCN in an e-mail exchange.'With a lot of different services open, it would be an extreme amount of work to guarantee that none of those would be misused,' Kurth said. Higher evaluation levels would cover all the possible combinations of services, though assessing software as complex as an operating system would be a truly arduous job.Kurth estimates that EAL 6 certification would indicate an operating system that was ready for direct contact with the Internet. No commercial OS has achieved EAL 6 yet. An EAL 4 certification itself can take a year or longer.Nonetheless, Kurth says that a Common Criteria evaluation can be a good guide for agencies purchasing an OS.
But experts say Common Criteria evaluation is too limited to assure security in general-purpose situations









Common Criteria: the details























Agency use









www.gcn.com








X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.