Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Certification Security Blanket: Page 5 of 9

Unfortunately, there's no organization analogous to the Underwriters Laboratory for network security products. Only a few industry certifications address how a product functions. Probably the oldest and most well-known is ICSA Labs, an independent division of security-services company TruSecure Corp. ICSA Labs tests and certifies cryptographic systems, firewalls, antivirus software and IPsec VPN software and appliances against published documents and other products. Like Common Criteria and FIPS-140-2, ICSA Labs' certifications are functional tests with pass and fail components.

The certification criteria is compiled from security vendors and experts. It evolves, too, as product features mature and testing methods are identified. Unlike CC, ICSA Labs' industry certification doesn't include implementation guidelines and environmental constraints. These tests don't take into account architectural differences of a product or its internal protection enhancements. An ICSA Labs firewall certification, for instance, doesn't differentiate between stateful packet-filtering firewalls and application-proxy firewalls.

Is Certification Enough?

How important is certification in the real world of exposed networks and security patches? A certified security device or package isn't immune to attack. It's one piece, albeit major, of the puzzle. The IBM 4578 Cryptographic processor, for example, a FIPS-140-1 Level 4-certified device, once had a vulnerability in its Common Cryptographic Architecture support software that let a would-be attacker bypass the security layers and recover the keys. IBM fixed the problem early last year, but it drives home the fact that certifications don't replace sound security practices.

And a certified product isn't necessarily more secure than an uncertified one. It may be that the vendor of the uncertified product has not yet submitted it for testing or that testing is still under way. Rest assured that the prices vendors pay for certification, often starting at $25,000 per product and upwards to hundreds of thousands for a Common Criteria certification, motivate them to build products that are likely to get certified.