Security Basics mailing list archives
Re: Vulnerability Assessment of a EAL 4 system
From: "Jason Muskat, GCFA, GCUX, de VE3TSJ" <Jason () TechDude Ca>
Date: Thu, 02 Nov 2006 02:01:33 -0500
Hello, EAL4 is not a security certification. It's more a 3rd party evaluation of ones ascertation of assurance. One may assert that attempting to connect to any port what so ever results in a reset being sent.... Provided the system is configured exactly in some described matter. Any change to anything invalidates EAL certification including patches, hot-fixes, services packs, security updates, or any such configuration variations. If you want to test EAL4 systems review the Common Criteria for the level, review the EAL4 "ascertation of assurance" documents from the vendor. Then configure the system as such and perform unit tests to verify outcomes. This is much more a QA activity then one if a security pen-test. Regards, -- Jason Muskat | GCFA, GCUX - de VE3TSJ ____________________________ TechDude e. Jason () TechDude Ca m. 416 .414 .9934 http://TechDude.Ca/
From: Subbarao Chitturi <subbarau_2004 () yahoo com> Date: Wed, 1 Nov 2006 02:13:21 -0800 (PST) To: <security-basics () securityfocus com> Subject: Vulnerability Assessment of a EAL 4 system Resent-From: <security-basics-return-41669 () securityfocus com> Resent-Date: Wed, 1 Nov 2006 11:09:24 -0700 (MST) I am looking at a Linux server which has been accredited as a EAL4 system by IBM. During the assessment, I was looking for standard Linux protections like iptables, ssh etc. On this server, there is no iptables. Regardless, I would like to know how to evaluate a EAL 4 system. What do you need to look for in the EAL 4 system in production that could become vulnerable? Thank you in advance for any help. --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
--------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Vulnerability Assessment of a EAL 4 system Subbarao Chitturi (Nov 01)
- Re: Vulnerability Assessment of a EAL 4 system Jason Muskat, GCFA, GCUX, de VE3TSJ (Nov 03)