Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
Cisco all but kills Cius tablet computer
Windows 8 Update: Steve Ballmer's 80-inch Windows 8 tablet
Gartner: Don't trust cloud provider to protect your corporate assets
Take me out to the ballgame, with 4G
Most OpenOffice users run Windows
Smartphones with quad-core chips and 4G LTE coming soon
Government alarm over cyberattacks validated by terrorists
Lawmakers call on DOJ to reopen investigation into Google Wi-Fi spying
Researchers propose TLS extension to detect rogue SSL certificates
IaaS: Renting on-demand technology
Yahoo Axis may be game changer for search and the troubled company
Android, Apple Own 80% of Global Smartphone Market; Microsoft's Share, 2.2%
Managing Mobile Mania
Proposed New York Legislation Would Ban Anonymous Online Comments
Supercomputer to connect to 400PB of storage via Ethernet
More articles »         Send to a friend Feedback

System security finds common ground

Beginning this month, all new national security systems must pass Common Criteria testing.

Related linksToday's breaking news
Send to a friendFeedback

By Ellen Messmer
Network World, 07/08/02

Don't bother dusting off that little-used Orange Book before dumping it in the trash. The federal government's new Common Criteria manual for computer security evaluation just arrived, and this time it has global backing so it just might work.

The National Security Agency (NSA) has ordered that, as of this month, all new national security systems have to run operating systems, applications, firewalls and other security equipment that have passed the stringent testing spelled out in Common Criteria. What's more, the purchasing mandate may be expanded to include civilian agency purchases.

Common Criteria marks the first time governments around the world have united in support of a security evaluation program, and that should help expedite testing and lower costs, problems that plagued the former approach.

"It used to be very expensive to evaluate products under the Orange Book scheme," says Mary Ann Davidson, chief security officer at Oracle, the first database vendor to win the coveted Common Criteria certification for its products. "One of the benefits of the Common Criteria is the mutual recognition by all the nations involved."

That means that the 15 countries backing the Common Criteria agree to accept the lab results without requiring more testing. "Common Criteria is good for us because it makes us build better products," Davidson says.

By all accounts, the NSA's Orange Book program, in which the NSA forced vendors through prolonged product testing at Ft. Meade, Md., was a dismal failure. And the government's failure to buy Orange-Book-tested products, which were often out of date after years of testing, was a blow to vendors that invested huge sums in Orange Book evaluations.

As an international movement, CC has expanded since its start as a collaborative effort by five countries in 1996. Today, 15 nations formally recognize Common Criteria and two-dozen labs around the world are accredited to perform CC evaluations. Common Criteria, as a process, has been canonized as an ISO standard.

In the U.S., the mandate to buy CC-evaluated products stems from a directive issued two years ago by the NSA. This directive, named The National Security Telecommunications Information Systems Policy No. 11 (NSTISP#11), primarily affects buying habits in the Department of Defense. But civilian agencies and outside government contractors that process sensitive government data also need to comply.

"We have systems at Commerce [Department] and the State Department that run national security systems," says Ron Ross, director of the National Information Assurance Partnership (NIAP). NIAP is the collaborative effort by the NSA and the National Institute for Standards and Technology (NIST) to foster U.S. participation in the Common Criteria program.

Products that need to meet CC requirements include databases, operating systems, firewalls, biometrics and other security software and hardware, including smart cards. About 75 products have received CC certification, a process that can take three months to more than a year.

The OS and the CC

Ross says the most important component Common Criteria evaluates is the operating system. The ideal situation, he notes, would be to have a CC-evaluated security product, such as a firewall, running a CC-evaluated operating system. However, there are a limited number of CC-certified operating systems. SGI last month had its Trusted IREX 6.5 and its standard IREX 6.5 operating system certified.

"We're happy to hear about this," says Mike Clancy, chief scientist and deputy technical director at the U.S. Navy's Fleet Numerical Meteorology and Oceanography Center in Monterey, Calif., which uses the Trusted IREX server in its computational analysis on weather and wave heights. If Fleet Numerical wants to purchase additional Trusted IREX servers, there won't be a problem with the NSTISP#11 purchasing directive.

Much of what Fleet Numerical does for the Navy, Air Force and intelligence agencies is unclassified. But because a portion of the work is classified, Fleet Numerical must abide by security rules that prohibit mixing classified and unclassified data. The Trusted IREX server, which has multilevel security compartments, lets Fleet Numerical isolate different types of data on the same server.

While it's not clear how the CC mandate will be policed, the issue could arise during the periodic audits done by the Defense Information Systems Agency to ensure that proper security procedures are being followed.

Sun has had two versions of its operating system CC-certified. Solaris 8 was certified at the Logica lab in the U.K., as was a "trusted" version with strong access control, security labels and software compartmentalization.

Those evaluations, which required a year each, cost Sun hundreds of thousands of dollars, according to Solaris product line manager Mark Thacker. Sun has no immediate plans to submit Solaris 9 for CC evaluation.

As for Microsoft, it submitted Windows 2000 for evaluation to SAIC's lab a year ago, but there's been no announcement on CC certification.

Federal agencies shopping for software for national security systems can ask for an NSA waiver to avoid the CC purchasing mandate. But it's not expected to be easy to get one, Ross says. On the other hand, he says the NSA probably won't take a hard line if a product — particularly the operating system — is in the evaluation process.

Software vendors that have invested considerable time and money in shepherding their products through the process are hoping the NSA doesn't grant waivers too easily.

Security's seven virtues

Oracle has had its 7, 8, and 8i database products evaluated and certified at the Logica lab in the U.K., which examined the source code to ensure that access control and encryption worked as advertised. An option for these databases, called Oracle Labeled Security Release 8.1.7, adds a way to label data for security purposes and is under review.

"It cost hundreds of thousands to a million dollars per product to do CC evaluation," Davidson says. "We're the first database vendor to achieve it." There are seven designated grades of Evaluation Assurance Level and Oracle has targeted EAL4 for all its products so far. EAL1 is the lowest and EAL7 the highest.

Although complex to decipher, the EAL scheme basically says EAL1 is appropriate when requirements for security are "not serious." EAL2 ups the ante in asking the product developer for design information and testing "consistent with good commercial practice." At EAL3, the product is going to be "methodically tested and checked" in a CC-accredited lab in a search "for obvious vulnerabilities."

At EAL4 — described as "the highest level at which it is likely to be economically feasible to retrofit to an existing application" — the source code is examined, and the vendor has to be prepared to "incur additional security-specific engineering."

EAL4, the highest CC certification level doled out for the 75 products tested to date, is the highest level that's recognized by all CC country signatories. Above that, vendors are likely to see specific demands from individual countries.

"Over EAL4 would be horribly expensive," says Don Davis, chief architect of trusted technologies at Veridian, the San Antonio, Texas, systems integrator that develops customized secure e-mail and database applications for the Department of Defense.

The Common Criteria describes EAL7 as being for applications in "extremely high-risk situations where the high value of the assets justifies the higher costs."

 Orange Book

Before the arrival of Common Criteria, the Department of Defense and National Security Agency demanded products conform to the "Orange Book" criteria, so-called because the security evaluation guidelines had an orange cover.

Dozens of vendors, including Sun, Oracle, DEC, Novell and SGI, dutifully went through years of Orange Book testing in the late 1980s and early 1990s to obtain ratings such as "C2" and "B1", which designate lower and higher security levels. An executive order in 1990 from President Ronald Reagan said government computer systems storing sensitive data would have to be C2-equivalent by 1992. A commonly heard rallying cry at that time became "C2 by '92!"

But by all accounts, that never happened. The government never purchased enough Orange-Book-certified products to justify the amount of money the IT industry poured into having their products certified.

Many reasons have been given for this over the years. Military IT departments sometimes admitted they found trusted systems too complex or expensive. But clearly, a main problem was that it typically took two to five years or more to test one product. In the fast-paced IT industry, changes rendered these Orange-Book-certified products obsolete by the time testing was done.

"The reason the testing took so long was that NSA did the testing," says Gartner analyst John Pescatore, who worked for NSA in the Orange Book era. "That's how the National Information Assurance Partnership [NIAP] started up, so you won't have to do this with the government."

The U.S. government agreed it was time to turn this job over to accredited commercial labs around the world.

NIAP, a joint effort between NSA and the National Institute of Standards and Technology, has played a key role in fostering the international Common Criteria security evaluation program, which was launched in 1996 with the U.K., Germany, France and the Netherlands. The countries backing the effort has since grown to include Australia, New Zealand, Canada, Finland, Greece, Israel, Italy, Norway, Spain and Sweden.

— Ellen Messmer

This April, Secure Computing received EAL4 for the Gauntlet firewall (purchased from Network Associates) after a review that took more than a year in CSC lab in Australia, says product marketing manager Jason Lamar.

Why a lab in Australia? Lamar says Secure Computing had business opportunities there and the Australian government tends to have its own demands related to CC.

An uncommon criteria?

Several vendors say the Australian government prefers to have CC product testing done in CC labs with so-called protection profiles defined by Australia.

There are many protection profiles — which are sometimes created by the vendor and sometimes standard under the CC program — for each product category. The profiles get to the meat of what a product promises to do. For instance, Sun Solaris 8 and Trusted Solaris received EAL4 certification. But the protection profiles for Trusted Solaris are more demanding.

"There's only controlled access described for Solaris 8," Sun's Thacker says. "But there's role-based access protection defined in the Label Security Protection Profile. Unfortunately, the way the information is presented on the Common Criteria Web sites, they highlight the EAL level not the protection profile."

But profile preferences have some vendors saying CC has a ways to go to become fully adopted as an international software testing program.

"Our protection profiles were accepted in the U.S. and Canada, and generally in the U.K., but not in Australia," says Gary Moore, senior architect for global governments at Entrust, which has had its Entrust Authority 5.1 public-key infrastructure suite evaluated in the Syntegra lab in the U.K. at EAL3. The governments of Britain and Australia specifically state a preference for homegrown protection profiles, he says.

"There's still a country-by-country approval, which is a major issue," Moore says. The time needed to get through the entire process is causing Entrust to submit upcoming products for testing even before they're generally available.

Despite the costs and obstacles, vendors are proud to have made it through the testing and hope it will give them a competitive edge in the government market. Although a year sounds like a long time to have a product undergo testing, observers note this is faster than Orange Book testing.

"It typically took NSA over two years to do this testing, and that's why NIAP started up, so you wouldn't have to do this with the government," says Gartner analyst John Pescatore.

Common Criteria is no silver bullet, because security experts might discover new holes in CC-evaluated products (this occurred with Solaris 8 a month ago). "Common Criteria is better than nothing," Pescatore says. "But it doesn't replace vulnerability testing."

CC is a process in motion, and in the U.S. there's talk about expanding purchasing mandates and testing to equipment not yet included, such as intrusion-detection systems. NIAP Director Ross says NIST and NSA are considering whether to have protection profiles for Web browsers. And he's working on a set of unified federal guidelines for use of CC.

"After Sept. 11, there's been interest in making Common Criteria mandatory for all agencies," Gartner's Pescatore says.

Contact Senior Editor Ellen Messmer

Other recent articles by Messmer

Related Links

Common Criteria Project
Official Web site.

National Information Assurance Partnership Web site

Congress: Tighten IT security
Prompted by last year's terrorist attacks, momentum is building on Capitol Hill to expand the role of the National Institute of Standards and Technology in establishing IT security standards and best practices. But the prospect is raising concerns in some circles. Network World, 04/22/02.

Air Force goes on net security offensive
The U.S. Air Force is adding firepower to its network defenses by increasing intrusion-detection measures at dozens of bases around the country as the threat of cyberattacks escalates in the post-Sept. 11 age of terrorism. Network World, 05/06/02.

Sun earns certification for Trusted Solaris 8
A security-hardened version of the Sun Solaris 8 operating system has achieved the international 'Common Criteria' certification after successfully passing a year of vigorous lab tests at Logica, a U.K. lab. Network World Fusion, 05/01/02.

Contact Senior Editor Ellen Messmer

Other recent articles by Messmer

Apply for your free subscription to Network World. Click here. Or get Network World delivered in PDF each week.

Get Copyright Clearance
Request a reprint or permission to use this article.

To top

NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.