Penetration Testing mailing list archives
RE: Vulnerability Assessment of a EAL 4 system
From: "Hardwick, Stephen" <shardwick () enpointe com>
Date: Mon, 6 Nov 2006 09:05:08 -0800
Steve, A couple of comments on your response EAL stands for Evaluation Assurance level (http://en.wikipedia.org/wiki/Evaluation_Assurance_Level). In addition to replacing ITSEC the Common Criteria scheme also replaces TCSEC in the US. Under the Mutual Recognition Agreement (MRA) CC Certifications are accepted in many countries in addition to the ones you cited. The above link also gives some average costs for the testing. One important step in Common Criteria evaluations not in your list is the creation and acceptance of a Security Target. This defines the security properties of the TOE made by the product vendor (normally referred to as the developer). In addition to the Common Criteria portal another good reference on CC is http://en.wikipedia.org/wiki/Common_Criteria If you would like more information, I completed a webinar recently on Common Criteria that gives an overview of the process and costs. http://enpointe.mmalliance.breezecentral.com/p92705019/ Steve Steve Armstrong wrote: Ok, lets look at some terminology first. EAL is the European Assurance Level, so it isn't accredited for anything contrary to what IBM say - they are not an accreditation authority! EALS were designed to replace ITSEC (IT Security Evaluation Criteria) levels adopted by the UK, Germany, France and Netherlands. The best reference for EAL material under the CC (Common Criteria) can be found here http://www.commoncriteriaportal.org/public/expert/index.php?menu=2 However, to conduct an EAL or any assurance is very very very expensive and not conducted lightly (a complex OS will cost millions!). Governments and Defence are usually the main customers, but as you do not understand the process, I doubt you are from these fields. Therefore, I doubt you have requested a unique testing or installation to the EAL4 level. If you have an OS that has been tested and certified to the EAL level you must compare the TOE (Target of Evaluation) with you installation as the EAL certification is only valid on the exact build, patch level and hardware - so pay close attention to detail. One of the most important parts of the evaluation is the list of what is in scope and what is not. Early MS evaluations of NT4 were actually against the system being isolated from the network! (this was addressed by the final eval of NT4 y2k + gina fix version of the ITSEC E3 certification). I should point out that MS took around 2.5 YEARS to get Win2k certified to EAL 4. And in doing so had to release SP2 for Win2k - so you guess the level of testing and code review necessary. To answer the second Q: The process to evaluating the system is as follows (and be prepared to sign NDAs): Get the Target of Evaluation (TOE). Get the Protection Profiles (PP) that were implemented and tested. Get the Evaluation report for the tests. Get the certificate for the system. Examine the system and see if it is configured the same way. Record the differences between the PP, TOE, Report and your system : there will be some. See if you can live with the differences, as they make the EAL certification invalid but the system more secure or usable. Remember however: Certification only proves the system CAN be secured to that specific level, and they are a snap shot at that configuration. Systems need patching and this changes the configuration. The amount of work required so secure the OS as per the certified configuration is often huge and results in a significantly degraded user experience. HTH Email me direct if you want to know more or ask any direct questions. Steve A --------------------------------------------------------------------- Logically Secure Forum (current home of the Vulnerability Assessment and Operational Security Testing VAOST methodology) www.logicallysecure.com/forum -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of castellan2004-fd () yahoo com Sent: 01 November 2006 10:12 To: pen-test () securityfocus com Subject: Vulnerability Assessment of a EAL 4 system I am looking at a Linux server which has been accredited as a EAL4 system by IBM. During the assessment, I was looking for standard Linux protections like iptables, ssh etc. On this server, there is no iptables. Regardless, I would like to know how to evaluate a EAL 4 system. What do you need to look for in the EAL 4 system in production that could become vulnerable? Thank you in advance for any help. ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016 00000008bOW ------------------------------------------------------------------------ -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.409 / Virus Database: 268.13.28/518 - Release Date: 04/11/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.409 / Virus Database: 268.13.28/518 - Release Date: 04/11/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.409 / Virus Database: 268.13.28/518 - Release Date: 04/11/2006 ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016 00000008bOW ------------------------------------------------------------------------ ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Vulnerability Assessment of a EAL 4 system castellan2004-fd (Nov 01)
- RE: Vulnerability Assessment of a EAL 4 system Marc Doudiet (Nov 01)
- Re: Vulnerability Assessment of a EAL 4 system Robert E. Lee (Nov 02)
- <Possible follow-ups>
- RE: Vulnerability Assessment of a EAL 4 system Hardwick, Stephen (Nov 02)
- RE: Vulnerability Assessment of a EAL 4 system Steve Armstrong (Nov 05)
- RE: Vulnerability Assessment of a EAL 4 system Hardwick, Stephen (Nov 06)