Appendix A. Security CertificationsAlthough often not necessary, selecting a network operating system that has earned a security rating can be advantageous. For instance, if your company has a security-conscious Chief Technology Officer, a network operating system that has an internationally recognized security rating would be an easier sell than one that doesn't. Furthermore, some companies you do business with may require it. A number of different organizations, including the U.S. government, have defined a set of security requirements that must be met in order for the operating system to be used within those organizations. At the very least, the classifications can be used to help people (primarily the U.S. government and its contractors) in their purchasing decision. Therefore, if your company does business with the U.S. government or its contractors or simply requires the same level of network security, it would be a good idea if your company deployed network operating systems that meet the minimum of these security ratings. In 1983, the National Computer Security Center (NCSC) assigned a range of security ratings, shown in Table A.1, based on the United States Department of Defense's Trusted Computer System Evaluation Criteria (TCSEC). These ratings, often referred to as the Orange Book after the color of the document's cover, measure the degree of protection offered by operating systems, network components, and applications.
NOTE When a software product, such as a database, is granted a security rating, it is often referred to as a trusted application. The TCSEC standard consists of levels of trust ratings, in which higher levels of security build on lower levels, adding more rigorous protection requirements. Although a few network components (such as Boeing MILS LAN Version 2.1) have been evaluated A1, no operating system has earned the A1 rating. A number of operating systems such as Hewlett-Packard's HP/UX, Digital's Ultrix, and Silicon Graphics' IRIX have earned B1, B2, and B3 ratings. A number of general-purpose network operating systems, such as Windows NT4 and NetWare 4.11, have earned the C2 rating. NOTE You can find a complete list of products evaluated by the NCSC using the Orange Book criteria at www.radium.ncsc.mil/tpep/epl/historical.html. A similar set of European security criteria, Information Technology Security Evaluation Criteria (ITSEC), was developed in the mid-1990s. Recognizing that an internationally accepted standard is required so that all countries can use one evaluation system, the United States, United Kingdom, Germany, France, Canada, and the Netherlands released a jointly developed evaluation standard for a multinational marketplace in January 1996. This standard is known as the Common Criteria for Information Technology Security Evaluation (CCITSE), usually referred to simply as the Common Criteria (CC). The CCITSE has a structure closer to the ITSEC than the TCSEC and includes Protection Profiles to collect requirements into easily specified and compared sets and a Security Target. A Protection Profile (PP) is a document created by a group of users (for example, a consumer group or large organization) that identifies the desired security properties of a product. Basically, a PP is a list of user security requirements, described in a very specific way defined by the CC. A Security Target (ST) is a document that identifies what a product (known as the Target of Evaluation, or TOE) actually does, or a subset of it, which is security-relevant; it is the basis for agreement between all parties as to what security the TOE offers. NOTE For more definitions and explanations of terms used in computer security evaluations, visit www.radium.ncsc.mil/tpep/process/faq.html. It is often difficult to identify a reasonable set of assurance requirements. The Common Criteria offer a set of predefined assurance requirements, called Evaluation Assurance Levels (EALs). EALs provide a uniformly increasing scale that balances the level of assurance obtained with the cost and feasibility of acquiring that degree of assurance. There are seven hierarchically ordered EALs, as shown in Table A.2. The higher levels build on lower levels, so the higher the EAL rating, the greater the degree of assurance.
NOTE For more information about Common Criteria for Information Technology Security Evaluation (CCITSE), visit csrc.nist.gov/cc. Today, the Common Criteria standard has replaced TCSEC and ITSEC, and all current network operating system product evaluations are taking place at these new EALs, not at the older levels (such as C2 and so on). In February 2005, SLES 9 running on IBM eServers was granted the EAL4+ rating by astec information security (www.astec.com), one of the few laboratories worldwide officially accredited and licensed to perform evaluations based on the Common Criteria standard. Additional evaluations using a range of IBM and HP hardware platforms are being conducted at the time of this writing. NOTE The document titled "SUSE LINUX Enterprise Server (SLES) V9 Security Target for CAPP Compliance," located at www.ibm.com/developerworks/opensource/library/os-ltc-security, contains the security feature specifications of SLES 9 as evaluated for the EAL4+ rating. NOTE While EALx is simply a standard shorthand for the set of assurance requirements defined for EALx, products can be evaluated with additional assurance measures. For example, a product (such as SLES) might choose to be evaluated at EAL4 plus some additional assurance measures, but not sufficient to be EAL5. Such a combination would be called EAL4+. You need to be aware that a security rating is different from a security certification. Operating systems, hardware, and application programs earn ratings, but individual installations must be certified. This distinction is significant. What it means is that you may be running an EAL4-rated operating system, but your site is not automatically EAL4-certified. You need to install and configure your system using the same operating system version, patches, and settings as well as the same or equivalent hardware used in the evaluation. Then your system must be inspected and granted that certification by an accredited third party. Furthermore, any changes made, no matter how minor, to an already-certified installation require the whole configuration to be reevaluated to retain the certification. You will find the system hardening information presented in Chapter 13, "System Security," is complementary to the configuration procedures used for SLES 9's EAL4+ evaluation. The following summary describes how you should apply computer security certifications toward your network's security needs:
You can find an RPM package containing the configuration script and data needed to set up the Common Criteria EAL4 system configuration certified on IBM hardware at http://portal.suse.com/psdb/22e06ee39e67b7064ea5c31de972460c.html. You will need a current SUSE maintenance contract to access this page. Even if you are not using IBM hardware, the script can provide you with insights into the necessary settings to be applied to your server. |