HP earns Common Criteria certification for Red Hat Linux on its hardware

U.S. government procurement requires security program

HP says a broad range of its computer hardware running Red Hat Enterprise Linux 5 has been examined and certified as compliant under the international Common Criteria product-evaluation program backed by the U.S. government and sometimes required for government technology acquisitions.

HP’s Integrity, ProLiant, and BladeSystem platforms, as well as workstations and desktops, have received the Evaluation Assurance Level 4 (EAL4+) Common Criteria security certification for Red Hat Enterprise Linux 5, the version of the operating system released last March. EAL4+ is the highest level of security that unmodified commercial software can achieve. Higher rankings to level 7 typically involve highly customized systems designed for maximum-security government purposes.

However, Erik Lillestolen, program manager for open source and Linux at HP, noted that the Xen-based technology for virtualization that’s part of Red Hat Linux 5, was not tested under the Common Criteria program.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

HP says a broad range of its computer hardware running Red Hat Enterprise Linux 5 has been examined and certified as compliant under the international Common Criteria product-evaluation program backed by the U.S. government and sometimes required for government technology acquisitions.

HP’s Integrity, ProLiant, and BladeSystem platforms, as well as workstations and desktops, have received the Evaluation Assurance Level 4 (EAL4+) Common Criteria security certification for Red Hat Enterprise Linux 5, the version of the operating system released last March. EAL4+ is the highest level of security that unmodified commercial software can achieve. Higher rankings to level 7 typically involve highly customized systems designed for maximum-security government purposes.

However, Erik Lillestolen, program manager for open source and Linux at HP, noted that the Xen-based technology for virtualization that’s part of Red Hat Linux 5, was not tested under the Common Criteria program.

“Nobody has included the virtualization technology yet,” he added about the Common Criteria security-evaluation program, which is backed by several countries as a multinational testing regimen.

HP submitted its computer gear for evaluation at Atsec, a certified lab under the U.S. government program known as the National Information Assurance Partnership (NIAP), a collaborative effort among the National Institute of Standards and technology (NIST) and the National Security Agency (NSA) which administers the Common Criteria program in the United States.

The EAL4+ certification level for unmodified commercial products assures that they work with security “profile” requirements, such as the Controlled Access Protection Profile, the Role-based Access Control protection Profile and the labeled Security protection profile. Lillestolen noted that the lab review entailed an inspection of source code and evaluation of how software performed on hardware platforms.

Read more about software in Network World's Software section.