Re: RE: Is Microsoft ISA approved for US government use?

[dean.white () oneguard com]

Microsoft Internet Security and Acceleration Server 2004 – Enterprise Edition – Service Pack 2 – Version 4.0.3443.594 
is evaluated to EAL4+. 

A few important things to remember when using products from the CC are.

1> The device MUST be deployed and managed exactly as per the evaluated configuration, so in this case it has to be 
Microsoft Internet Security and Acceleration Server 2004 – Enterprise Edition – Service Pack 2 – Version 4.0.3443.594 
(patch versions, configuration, even features). If the device can not be installed, deployed and managed as per the 
evaluated CC target, then a risk assessment has to be performed which assesses how the changes affect the environment 
and what controls you are going to implement to mitigate the exposure of not using the device in its evaluated 
configuration. This is even the case if MS bring out patches for the application, and especially so when you are going 
to use a different version of the application. (Any other version of the application, even minor patches, service packs 
etc, mean that the device is no longer in the evaluated configuration)

2> On many platforms, only certain features are evaluated. For example, on some devices, the firewall component maybe 
certified but not the VPN component. You should read through the Target of Evaluation documents and the Certification 
report to determine what parts of the MS ISA server are certified. So using MS ISA server as an IDS may not be an 
evaluated feature.

Regards
Dean White
Principal
Oneguard Consulting