NWC | Buzzcut | Security Certification for SuSE: No Big Deal |

Upcoming Events

Cloud Connect March 16-18

Comprehensive thought leadership for executives, IT professionals and developers. Topics include: the ROI, cost and economics of on-demand computing; Migration strategies to move from on-premise to cloud-based IT; Vertical cloud specialization, tailoring features and architectures to specific applications, industries, and customer ecosystems

N E W S / A N A L Y S I S

Security Certification for SuSE: No Big Deal

August 21, 2003
By Mike Fratto

	Issue TOC
	Print full article
	Download as PDF
	E-Mail this URL
	Discuss this article
	Flame the author

SuSE has become the first Linux developer to receive a particular OS security certification that is internationally recognized and vital for selling to the U.S. and several European governments. This was hailed by some as a big score not only for SuSE but for all Linux distros.

But the certification has no value for Linux at large. It applies to only one version of SuSE's product, specifically the SuSE Linux Enterprise Server 8, with the certification-sles-eal2. rpm installation package. This is true of all certifications under Common Criteria, an agreement among many nations to unify security certification standards. Common Criteria certifications apply only to specific product versions with established configurations (see "Certification Security Blanket").

Linux Enterprise Server was certified at Evaluated Assurance Level 2+ out of 7 levels. This means the product has been tested only according to a vendor-defined configuration; the vendor has furnished documentation that it has performed a vulnerability analysis against known vulnerabilities; and the vendor has supplied, and the testing firm analyzed, documentation on the configuration and operation of a subset of system features.

What's more, the EAL2+ certification is limited to a fixed configuration and is focused on nonhostile environments like a protected data center. On a SuSE Linux Enterprise Server configured according to EAL2+, the only network services allowed are SSH and FTP. More important, the cryptographic features of OpenSSH were not evaluated because such testing would have taken too long. Other common services--like HTTP, DNS and SMTP running on their standard ports--are not part of the feature sets, further reducing the importance and usefulness of the EAL2+ configuration.

Each Linux distribution has its own programs and configuration files and, often different kernel modifications. So while Common Criteria certification is a somewhat positive milestone for SuSE, the other Linux distributions will have to step up for their own.

Post a comment or question on this story.

Best of the Web

Data deduplication: Declawing the clones

Data deduplication is emerging as a critically important new arrow in the storage administrator's quiver to answer hard questions about the increasing problem in storage growth costs.

Quick Read

Compression, Encryption, Deduplication, and Replication: Strange Bedfellows

One of the great ironies of storage technology is the inverse relationship between efficiency and security: Adding performance or reducing storage requirements almost always results in reducing the confidentiality, integrity, or availability of a system.

Quick Read

WAN Optimization Whitelists and Blacklists

Optimization is a fantastic way of saving money and creating really happy customers at the same time, but it doesn't work flawlessly for all applications.

Quick Read

WAN Optimization as a Managed Service: It's Not About the Cost

This insight examines how organizations outsourcing their WAN optimization initiatives to a third-party go about achieving their goals for application performance, reducing operational costs, and streamlining enterprise infrastructure.

Quick Read

Disk Storage, Heal Thyself

No-maintenance RAID arrays will deliver more efficiency and higher performance, and save money to boot by obviating expensive maintenance plans through built-in spares and other self-healing features. IT groups, especially those with remote locations, could save themselves a bundle by adopting this technology sooner rather than later.

Silo to Gold Mine: What CMIS Can (and Can't) Do for ECM Integration

Enterprises know they could wring more value from their enterprise content management system investments. Unfortunately, integration and interoperability are sticking points. In this Strategy Session report, we investigate whether Oasis' new open Content Management Integration Services standard could be the answer to these woes.

Download: 10 Gotchas That Derail ECM Initiatives

Enterprise content management deployments are fraught with dangers, such as weak search capabilities and poor requirements definitions, that can grind projects to a halt. This report helps CIOs and project leaders move beyond gridlock, choose the right tools and foster seamless integration.

Video

Network Computingwww.networkcomputing.com

Home

News and Analysis

Tech Centers

Channels

Bloggers

Upcoming Events

Executive conference

Vendor Newsfeed

Subscribe to Newsletter

Best of the Web

Data deduplication: Declawing the clones

Compression, Encryption, Deduplication, and Replication: Strange Bedfellows

WAN Optimization Whitelists and Blacklists

WAN Optimization as a Managed Service: It's Not About the Cost

Premium Content

Disk Storage, Heal Thyself

Silo to Gold Mine: What CMIS Can (and Can't) Do for ECM Integration

Download: 10 Gotchas That Derail ECM Initiatives

Video

Most Popular

Whitepapers

BlogRoll

CIOs & IT Professionals

Software Developers

Web & Digital Professionals

Vertical Markets

Government Officials

Global Communications Service Providers

Most Popular

TechWeb Reader Services