Security Basics mailing list archives

Re: Vulnerability Assessment of a EAL 4 system

From: "Jason Muskat, GCFA, GCUX, de VE3TSJ" <Jason () TechDude Ca>
Date: Thu, 02 Nov 2006 02:01:33 -0500

Hello,

EAL4 is not a security certification. It's more a 3rd party evaluation of
ones ascertation of assurance.

One may assert that attempting to connect to any port what so ever results
in a reset being sent.... Provided the system is configured exactly in some
described matter. Any change to anything invalidates EAL certification
including patches, hot-fixes, services packs, security updates, or any such
configuration variations.

If you want to test EAL4 systems review the Common Criteria for the level,
review the EAL4 "ascertation of assurance" documents from the vendor. Then
configure the system as such and perform unit tests to verify outcomes. This
is much more a QA activity then one if a security pen-test.



Regards,

-- 
Jason Muskat  | GCFA, GCUX - de VE3TSJ
____________________________
TechDude
e. Jason () TechDude Ca
m. 416 .414 .9934

http://TechDude.Ca/

From: Subbarao Chitturi <subbarau_2004 () yahoo com>
Date: Wed, 1 Nov 2006 02:13:21 -0800 (PST)
To: <security-basics () securityfocus com>
Subject: Vulnerability Assessment of a EAL 4 system
Resent-From: <security-basics-return-41669 () securityfocus com>
Resent-Date: Wed,  1 Nov 2006 11:09:24 -0700 (MST)

I am looking at a Linux server which has been
accredited as a EAL4 system by IBM.  During the
assessment, I was looking for standard Linux
protections like iptables, ssh etc.  On this server,
there is no iptables.

Regardless, I would like to know how to evaluate a EAL
4 system.  What do you need to look for in the EAL 4
system in production that could become vulnerable?

Thank you in advance for any help.

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------




---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Current thread:

Vulnerability Assessment of a EAL 4 system Subbarao Chitturi (Nov 01)
- Re: Vulnerability Assessment of a EAL 4 system Jason Muskat, GCFA, GCUX, de VE3TSJ (Nov 03)