> From: "Ng, Kenneth \(US\)" <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Date: Mon, 27 Mar 2000 13:49:39 -0500
>
> Just saw the following on cnn.com:
> http://cnn.com/2000/TECH/computing/03/27/secure.standard.idg/index.html
>
> Does anyone have any independent views or experiences with this service?
Yes, our company is undergoing a Common Criteria evaluation right now.
The CC is the next generation of the Orange Book and its ilk (TPEP, etc.).
The way it works is as follows:
1) You write a document called a Security Target, in which you describe
the security components of the product. This includes the intended
environment, assumptions, threats, etc., as well as an exact description
of what is going to be evaluated (the Target of Evaluation, or TOE). The
CC requires a some formalism here -- the security functionality is selected
from a large "menu" of security functions. The ST also states an evaluation
assurance level (EAL), which ranges from 1 to 7. The EAL comes from a
second menu of assurance items, such as testing, design documentation,
administrator documentation, development environment, engineering practices,
etc. The EALs are really just pre-selected collections of these assurances,
and they are hierarchical: EAL3 is a superset of EAL2 which is a superset
of EAL1. You don't have to pick an EAL, you can mix and match from the
menu, but whatever you choose will have to make sense and be consistent.
2) You submit your ST to a certified evaluation lab and they check it
for internal consistancy. For example, if your product claims to do
auditing, but has no access control mechanism to protect the audit files,
your ST won't pass. The CC define dependencies between various menu
items (for both security functionality and assurances), and the lab makes
sure your ST holds together properly.
3) You then submit your product and documentation (and source code for
higher EALs) to the evaluation lab and they check it out. The look at
the design docs, testing procedures, etc. Plus, they do their own
vulnerability and penetration testing -- the extent is determined by
the EAL level.
4) If you pass, and the lab is a gov't certified lab, you'll get a
certificate for the product.
EAL1 is basically kicking the tires.
EAL2 is somewhat like an old C2 evaluation in terms of the level of effort
needed to pass.
EAL3 is more than the old C2, but less than B1.
EAL4 is similar to B1, but maybe a little more.
EAL5-7 roughly correspond to B2, B3, and A1.
But remember, this isn't the Orange Book -- the vendor describes the
security features and the product. You could take a product with tons
of security features but evaluate it at a very low assurance level, or
you could take a very simple product with very few security features and
evaluate it to a very high level. The EAL doesn't tell you WHAT got
evaluated, just how much effort went in to checking it.
The CC has been accepted by the US, Canada, Germany, the UK, France,
the Netherlands, Australia, and New Zealand. It is now an ISO standard.
The previously mentioned countries have agreed to accept each others'
evaluations up to EAL4.
The CC can be used to evaluate firewalls, operating systems, smart cards,
complete systems, and almost anything else. Since the vendor describes
the product in the Security Target, it is much more flexible than the
old NCSC/NSA TCSEC mechanism.
Our company is the first EAL4 being done in the US, and we are the first
ones with a CC operating system evaluation in the US, so we are finding
areas of the CC that need to be interpretted to set precedence. The lab
doing our evaluation is a division of CSC. In the US, the NSA and NIST
oversee the evaluation and the CC labs but they aren't as involved as
they were with the old Orange Book evaluations.
There's an international CC conference in the Baltimore area on May 23
if anyone is interested. It's sponsored by NIST/NSA. I'll be doing a
session on operating system Security Targets and our experiences with
the CC so far.
paul
---------------------------------------------------------
Paul A. McNabb, CISSP Argus Systems Group, Inc.
Senior Vice President and CTO 1809 Woodfield Drive
[EMAIL PROTECTED] Savoy, IL 61874 USA
TEL 217-355-6308
FAX 217-355-1433 "Securing the Future"
---------------------------------------------------------
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
