Upcoming Events

Cloud Connect
Santa Clara
Feb 13-16, 2012

Cloud Connect brings together the entire cloud eco-system to better understand the transformation we're experiencing and promises to be the defining event of the cloud computing industry. Learn about the latest cloud technologies and platforms from thought leaders in Cloud Connect’s comprehensive conference.

Register Now!

More Events »

Subscribe to Newsletter

  • Keep up with all of the latest news and analysis on the fast-moving IT industry with Network Computing newsletters.
Sign Up

Vendor NewsFeed

More Vendor NewsFeed »


 
NetNews
N E W S / A N A L Y S I S  


Security Certification for SuSE: No Big Deal

  August 21, 2003
  By Mike Fratto


TOC Issue TOC
Printer Print full article
Printer Download as PDF
E-Mail E-Mail this URL
Discuss Discuss this article
flame author Flame the author

SuSE has become the first Linux developer to receive a particular OS security certification that is internationally recognized and vital for selling to the U.S. and several European governments. This was hailed by some as a big score not only for SuSE but for all Linux distros.

But the certification has no value for Linux at large. It applies to only one version of SuSE's product, specifically the SuSE Linux Enterprise Server 8, with the certification-sles-eal2. rpm installation package. This is true of all certifications under Common Criteria, an agreement among many nations to unify security certification standards. Common Criteria certifications apply only to specific product versions with established configurations (see "Certification Security Blanket").

Linux Enterprise Server was certified at Evaluated Assurance Level 2+ out of 7 levels. This means the product has been tested only according to a vendor-defined configuration; the vendor has furnished documentation that it has performed a vulnerability analysis against known vulnerabilities; and the vendor has supplied, and the testing firm analyzed, documentation on the configuration and operation of a subset of system features.

What's more, the EAL2+ certification is limited to a fixed configuration and is focused on nonhostile environments like a protected data center. On a SuSE Linux Enterprise Server configured according to EAL2+, the only network services allowed are SSH and FTP. More important, the cryptographic features of OpenSSH were not evaluated because such testing would have taken too long. Other common services--like HTTP, DNS and SMTP running on their standard ports--are not part of the feature sets, further reducing the importance and usefulness of the EAL2+ configuration.

Each Linux distribution has its own programs and configuration files and, often different kernel modifications. So while Common Criteria certification is a somewhat positive milestone for SuSE, the other Linux distributions will have to step up for their own.

Post a comment or question on this story.


Research and Reports

Hypervisor Derby
August 2011
Network Computing: August 2011

Video


WATCH: Box.net CEO Aaron Levie Takes On Microsoft

WATCH: HP Chairman Ray Lane: Focus On Innovation

WATCH: How OpenFlow Changes Networking


View All Videos
Previous Page First Page Second Page Third Page Next Page

Most Popular

Stories Blogs

More Stories »

Featured Whitepapers

Featured Reports

BlogRoll

TechWeb Careers