Fw: [ISN] IBM earns Linux certification

Fw: [ISN] IBM earns Linux certification

[David Eaves]

As someone said yesterday, this has to do with assurance, not strength of
security as such (I'm paraphrasing).

Yes it's true the the door got a little wider for Linux. But first of all,
EAL2, and EAL3 are barely adequate for e-commerce in general, and not for a
level of threat posed to military systems in time of war, by a highly
capable adversary, with all the resources of a wealthy nation-state, and
willing to take extreme risks, as the CC conga-line dance goes. US military
C4I orgs will not be likely to find this useful, press agents
notwithstanding.

EAL4 is required even for relatively ordinary protection between information
enclaves. The CC system goes up to EAL7, which requires formal proofs of
linkage between security targets, protection profiles, and the design and
implementation of the products in question. The outlook even for SE-linux is
doubtful above EAL4, ever. And EAL2 is pretty much kids playing in a sandbox
by comparison, so IBM/Suse is no competitor with SE at this point.

More to the point though, CAPP, controlled access protection profile,
assures only what it says, controlled access. As long as it's never hooked
up to a network or has an IP stack running, assurances are reasonably strong
that nobody will be able to access it who is not supposed to. The Windows
product lines already have EAL4+ (what the plus means I don't know) versus
CAPP, which as a protection profile is next to worthless from my pov.
Solutions I need will have to address the MDSPP and MNISPP profiles, which
are much wider in scope and more difficult to assure.

Bottom line is that this is a lot of noise from IBM, cost a total of about
3/4 of a million, cheap marketing for them, half a mil for the cert lab, the
rest for schmoozing reporters, big noise and flashy lights. Good for Linux
vis a vis Windows, but it's pretty much irrelevent in real life, or to
people who work with SE-linux. And way overdue.

Dave Eaves
Principal Information Assurance Software Engineer
Planning Systems, Inc

----- Original Message ----- 
From: "Russell Coker" <russell@coker.com.au>
To: "SE Linux" <selinux@tycho.nsa.gov>
Sent: Thursday, August 07, 2003 8:54 AM
Subject: Fwd: [ISN] IBM earns Linux certification


>
>
> ----------  Forwarded Message  ----------
>
> Subject: [ISN] IBM earns Linux certification
> Date: Thu, 7 Aug 2003 17:34
> From: InfoSec News <isn@c4i.org>
> To: isn@attrition.org
>
> Forwarded from: William Knowles <wk@c4i.org>
>
> http://www.fcw.com/fcw/articles/2003/0804/web-linx-08-06-03.asp
>
> By Rutrell Yasin
> Aug. 6, 2003
>
> The door just got a little bit wider for Linux to be used by
> government agencies for mission-critical systems now that IBM Corp.
> has earned security certification for the open-source operating
> system.
>
> IBM and SuSE Inc. Linux have achieved Common Criteria security
> certification for SuSE Linux Enterprise Server 8 running on IBM
> eServer xSeries. The Common Criteria are internationally recognized
> standards used by the federal government and other organizations to
> assess the security of technology products.
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Fw: [ISN] IBM earns Linux certification

[Florian Weimer]

"David Eaves" <deaves@plansys.com> writes:

> The Windows product lines already have EAL4+ (what the plus means I
> don't know)

EAL 4 plus flaw remediation procedures.

> versus CAPP, which as a protection profile is next to worthless from
> my pov.

I agree.

> Solutions I need will have to address the MDSPP and MNISPP profiles, which
> are much wider in scope and more difficult to assure.

Are the profiles already fully defined and available for
certification, and can they be applied to software which wasn't
designed from the beginning to meet those criteria?

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Fw: [ISN] IBM earns Linux certification

[Tom]

On Thu, Aug 07, 2003 at 11:29:08AM -0700, David Eaves wrote:
> Yes it's true the the door got a little wider for Linux. But first of all,
> EAL2, and EAL3 are barely adequate for e-commerce in general, and not for a
> level of threat posed to military systems in time of war, by a highly

In real life, however, most e-commerce systems wouldn't even get
EAL1 if they tried.


> EAL4 is required even for relatively ordinary protection between information
> enclaves. The CC system goes up to EAL7, which requires formal proofs of
> linkage between security targets, protection profiles, and the design and
> implementation of the products in question. The outlook even for SE-linux is

EAL7 is very much a pipe dream. I don't see how any system could ever
reach it. Definitely no existing system, you'd have to start from
scratch, with EAL7 as your main target.


> that nobody will be able to access it who is not supposed to. The Windows
> product lines already have EAL4+ (what the plus means I don't know) versus

The plus usually means they also satisfy one or more requirements of
the higher level.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Fw: [ISN] IBM earns Linux certification

[David Eaves]

SE-linux appears to headed for a DCID certification at NSA, to expedite its
availability, rather than a CC one? Is that right Steve? If you can say one
way or the other.

MDSPP and MNISPP are available at
http://www.iatf.net/protection_profiles/profiles.cfm, under Multiple Domain
Solutions, and Multinational Information Sharing, respectively. MDSPP is a
little bit shaky in terms of usefulness, while MNISPP is more geared toward
workflow and systems. Neither one is the be-all and end-all of CC though.

Flaw remediation sounds a little dubious in terms of assurance, but every
little bit helps I guess... It sounds a little like credit ratings for
bonds, BBB+ versus BBA-, i.e. fine gradations beyond actual resolvable
differences.

Anyway, since everybody seemed to be making such a fuss, I just wanted to
state the obvious, regarding the general unimportance of the IBM/Suse-linux
noise. Back to work now.

Dave Eaves
Principal Information Assurance Software Engineer
Planning Systems, Inc

----- Original Message ----- 
From: "Florian Weimer" <fw@deneb.enyo.de>
To: "David Eaves" <deaves@plansys.com>
Cc: <selinux@tycho.nsa.gov>
Sent: Thursday, August 07, 2003 1:45 PM
Subject: Re: Fw: [ISN] IBM earns Linux certification


> "David Eaves" <deaves@plansys.com> writes:
>
> > The Windows product lines already have EAL4+ (what the plus means I
> > don't know)
>
> EAL 4 plus flaw remediation procedures.
>
> > versus CAPP, which as a protection profile is next to worthless from
> > my pov.
>
> I agree.
>
> > Solutions I need will have to address the MDSPP and MNISPP profiles,
which
> > are much wider in scope and more difficult to assure.
>
> Are the profiles already fully defined and available for
> certification, and can they be applied to software which wasn't
> designed from the beginning to meet those criteria?


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.