Careers & Certifications

05:00 PM
Connect Directly
RSS
E-Mail
50%
50%

Security Certification for SuSE: No Big Deal

The certification has no value for Linux at large.

SuSE has become the first Linux developer to receive a particular OS security certification that is internationally recognized and vital for selling to the U.S. and several European governments. This was hailed by some as a big score not only for SuSE but for all Linux distros.

But the certification has no value for Linux at large. It applies to only one version of SuSE's product, specifically the SuSE Linux Enterprise Server 8, with the certification-sles-eal2. rpm installation package. This is true of all certifications under Common Criteria, an agreement among many nations to unify security certification standards. Common Criteria certifications apply only to specific product versions with established configurations (see "Certification Security Blanket").

Linux Enterprise Server was certified at Evaluated Assurance Level 2+ out of 7 levels. This means the product has been tested only according to a vendor-defined configuration; the vendor has furnished documentation that it has performed a vulnerability analysis against known vulnerabilities; and the vendor has supplied, and the testing firm analyzed, documentation on the configuration and operation of a subset of system features.

What's more, the EAL2+ certification is limited to a fixed configuration and is focused on nonhostile environments like a protected data center. On a SuSE Linux Enterprise Server configured according to EAL2+, the only network services allowed are SSH and FTP. More important, the cryptographic features of OpenSSH were not evaluated because such testing would have taken too long. Other common services--like HTTP, DNS and SMTP running on their standard ports--are not part of the feature sets, further reducing the importance and usefulness of the EAL2+ configuration.

Each Linux distribution has its own programs and configuration files and, often different kernel modifications. So while Common Criteria certification is a somewhat positive milestone for SuSE, the other Linux distributions will have to step up for their own.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Slideshows
Cartoon
Audio Interviews
Archived Audio Interviews
Jeremy Schulman, founder of Schprockits, a network automation startup operating in stealth mode, joins us to explore whether networking professionals all need to learn programming in order to remain employed.
White Papers
Register for Network Computing Newsletters
Current Issue
Video
Twitter Feed