Upcoming Events

Cloud Connect
Santa Clara
Feb 13-16, 2012

Cloud Connect brings together the entire cloud eco-system to better understand the transformation we're experiencing and promises to be the defining event of the cloud computing industry. Learn about the latest cloud technologies and platforms from thought leaders in Cloud Connect’s comprehensive conference.

Register Now!

W O R K S H O P

Certification Security Blanket

July 24, 2003
By Mike Fratto

	Issue TOC
	Print full article
	Print this page
	Download as PDF
	E-Mail this URL
	Discuss this article
	Flame the author

	In this article
	Introduction
	Something in Common
	CC Glossary
	CC EALs
	Sites to See

Making sense of the features security vendors load in their product data sheets is like trying to mold Jell-O by hand--try to grasp one section and the rest squishes out of reach. Despite your best attempts, you aren't sure exactly what the amorphous security product does or how well it performs. And you probably don't have the time or resources to test it thoroughly before buying it.

Here's an idea: Instead of relying on a brief product demo or trial, check out the product's security certifications. Security certification is the equivalent of in-depth testing without the heavy lifting. A third-party lab or organization tests the product against certain criteria and grades it accordingly. If you're fluent in security-certification criteria, you can glean valuable information about a security device or software.

Not all product certifications are equal, however. Their usefulness depends on the purpose of the certification. You need to understand whether the testing was for functional or implementation purposes, the context of the test and the scope of the results. Most product certifications focus on functional testing--not a feature-by-feature comparison scoring one product over another. The functional tests determine whether a product meets the certification criteria.

The main certifications for security products are the Common Criteria, Federal Information Processing Standard 140-2 (FIPS-140-2) Security Requirements for Cryptographic Modules, and ICSA Labs. Security consultancy Neohapsis--and a Network Computing lab partner--sponsors the Open Security Evaluation Criteria (OSEC), which takes a community-peer-review approach to certification with input from vendors and users.

These certifications complement one another, but if you're a government agency or contractor, you should use the CC and FIPS-140-2 certifications.

Know Your Needs

To get the most out of certifications, you must know your organization's security requirements. These should be stated in a security policy or request for proposal. With such a document in hand, you can easily compare the certification's functionality tests against your needs. It also helps to understand the certification terminology. Common Criteria provides language for building a protection profile (PP), which states your requirements.

To determine whether a certification will help in your product analysis, look at how the certification defines a particular security function, like whether a stateful packet-filtering firewall is tracking the state of a TCP session properly. Knowing that, for instance, TCP state is defined and tested in the certification lab as just TCP session setup and tear-down and doesn't include TCP sequence numbering and error-control mechanisms can help you decide if that particular certification is appropriate for your requirements.

Certification tests typically are restricted to a subset of a product's features. Although most firewalls support IPsec (IP security), just because a firewall passes ICSA Labs Firewall Certification doesn't mean it passes the IPsec VPN Certification. And these functional certifications merely confirm that a security feature works--they don't shed any light on the importance of the feature.