Upcoming Events

Cloud Connect
Santa Clara
Feb 13-16, 2012

Cloud Connect brings together the entire cloud eco-system to better understand the transformation we're experiencing and promises to be the defining event of the cloud computing industry. Learn about the latest cloud technologies and platforms from thought leaders in Cloud Connect’s comprehensive conference.

Register Now!

More Events »

Subscribe to Newsletter

  • Keep up with all of the latest news and analysis on the fast-moving IT industry with Network Computing newsletters.
Sign Up

Vendor NewsFeed

More Vendor NewsFeed »

Security
W O R K S H O P  
Certification Security Blanket

  July 24, 2003
  By Mike Fratto


>> continued from previous page

Something in Common
TOC Issue TOC
Printer Print full article
Printer Print this page
Printer Download as PDF
E-Mail E-Mail this URL
Discuss Discuss this article
flame author Flame the author
 
  In this article
arrow
 Introduction
arrow
 Something in Common
arrow
 CC Glossary
arrow
 CC EALs
arrow
 Sites to See

Common Criteria is the culmination of work between several countries, including the United States, Canada, Germany and the United Kingdom, to develop a set of universal requirements, test methodologies and structure for evaluating security products worldwide ("CC Glossary"). CC 2.1 and ISO (International Organization for Standardization) standard 15408 are the same. Although the CC was developed with government evaluation and purchasing in mind, its testing and certifications apply to the enterprise as well.

The CC comprises three parts. Part 1 is an overview. Part 2 defines the security components being tested. Vendors can use Part 2 to specify functions required for their product or subsystem, such as a firewall or encryption processor. The tested device is known as the "target of evaluation" (TOE) in CC parlance. Part 3 defines the security-assurance requirements. It's used to develop PP and security target (ST) documents. The ST document defines the functional capabilities of the product. Each evaluated product has an ST document. The PP defines a set of security requirements needed to achieve a security goal. CC doesn't require a PP for every product tested, but if it has one, the product has to satisfy that profile as well as the ST. CC also provides a certification report that summarizes the test, explains the testing environment and configuration, and describes any PPs used. The report includes special exceptions or issues, if any, surrounding the certification testing.

The CC's Evaluated Assurance Level (EAL) is an assessment that says the product meets the functional requirements stated in the ST and in the PP (see "CC EALs,"). EAL levels range from EAL1, which means a product was functionally tested and met the basic requirements, to EAL7, which signifies the product meets requirements for exceptionally secure environments.

Most products receive CC certification of EAL4 and below because EAL5, 6 and 7 certifications are extremely stringent--the CC evaluates the development process and theoretical framework behind the product along with the functional tests.

But out of context, an EAL rating is meaningless. Many firewalls, for instance, have an EAL4 rating, but that doesn't tell you much unless you read the ST, PP and Certification Report. Cross-reference the claims in the ST and PP, too, using CC Parts 2 and 3 so you'll be sure to know what was tested.

Cryptic Certification

FIPS-140-2 is a certification for cryptographic modules sponsored by the National Institute of Standards and Technology (NIST). It makes FIPS-140-1 obsolete, though version 1 is still valid for existing products.

NIST-approved labs test new products to FIPS-140-2, which ensures that cryptographic subsystems are implemented correctly and provide an adequate level of protection for stored, sensitive data.

FIPS-140-2 defines four levels of security assurance, from lowest to highest, with each building on the previous one. Level 1 means the product properly implements the NIST standardized cryptographic algorithms, including DES (Data Encryption Standard), 3DES (Triple DES) and AES (Advanced Encryption Standard).

Level 2 means the product has tamper-evident coatings to ensure that any corruption of the device would be noticeable.

Level 3 is for cryptographic modules that delete stored keys if they detect a physical attack on, say, circuit components. At Level 3, the product must require authenticated access.

Level 4 requires that a product provide protection from attacks that attempt to thwart physical access controls, such as supercooling.

Most security products receive FIPS-140-2 Level 2 or Level 3 certification, which is sufficient as long as the modules are contained in a controlled environment such as a machine room.

Another Puzzle Piece

Unfortunately, there's no organization analogous to the Underwriters Laboratory for network security products. Only a few industry certifications address how a product functions. Probably the oldest and most well-known is ICSA Labs, an independent division of security-services company TruSecure Corp. ICSA Labs tests and certifies cryptographic systems, firewalls, antivirus software and IPsec VPN software and appliances against published documents and other products. Like Common Criteria and FIPS-140-2, ICSA Labs' certifications are functional tests with pass and fail components.

The certification criteria is compiled from security vendors and experts. It evolves, too, as product features mature and testing methods are identified. Unlike CC, ICSA Labs' industry certification doesn't include implementation guidelines and environmental constraints. These tests don't take into account architectural differences of a product or its internal protection enhancements. An ICSA Labs firewall certification, for instance, doesn't differentiate between stateful packet-filtering firewalls and application-proxy firewalls.

Is Certification Enough?

How important is certification in the real world of exposed networks and security patches? A certified security device or package isn't immune to attack. It's one piece, albeit major, of the puzzle. The IBM 4578 Cryptographic processor, for example, a FIPS-140-1 Level 4-certified device, once had a vulnerability in its Common Cryptographic Architecture support software that let a would-be attacker bypass the security layers and recover the keys. IBM fixed the problem early last year, but it drives home the fact that certifications don't replace sound security practices.

And a certified product isn't necessarily more secure than an uncertified one. It may be that the vendor of the uncertified product has not yet submitted it for testing or that testing is still under way. Rest assured that the prices vendors pay for certification, often starting at $25,000 per product and upwards to hundreds of thousands for a Common Criteria certification, motivate them to build products that are likely to get certified.

But don't take any certification as gospel. Certifications are good at capturing a common set of requirements, but you'll still have your own unique ones.

Mike Fratto is a senior technology editor based in Network Computing's Syracuse University Real-World Labs®; he covers all security-related topics. Write to him at mfratto@nwc.com.

Post a comment or question on this story.


start top  Introduction CC Glossary 

Research and Reports

Hypervisor Derby
August 2011
Network Computing: August 2011

Video


WATCH: Box.net CEO Aaron Levie Takes On Microsoft

WATCH: HP Chairman Ray Lane: Focus On Innovation

WATCH: How OpenFlow Changes Networking


View All Videos
Previous Page First Page Second Page Third Page Next Page

Most Popular

Stories Blogs

More Stories »

Featured Whitepapers

Featured Reports

BlogRoll

TechWeb Careers