RE: IDS Common Criteria

["Greg van der Gaast" <greg.vandergaast () wanadoo nl>]

I have seen plenty of people with driving licenses who can't drive worth
a ____. Same goes for CC accreditation. 

In my humble opinion, the problem with CC is that the evaluation is only
as good as the evaluator. The standard itself is written is such
abstract form  (the word 'computer' doesn't even come up once in the
640+ page document except for one mention of 'Computer Aided Design')
that in most cases numerous (all?) low-level technical vulnerabilities
or shortfalls are overlooked. Perfect example is W2k being certified and
MS releasing 3 critical patches to fix just certified components, the
next day. Worse is that in this case MS deliberately left its customers
vulnerable so it could get accredited and market their product as more
secure. For commercial use I'd say, once again imho, it's worthless and
its use as part of a security policy or management process should be
avoided.

Hope this helps.

Regards,

Greg

-----Oorspronkelijk bericht-----
Van: Talisker [mailto:talisker () networkintrusion co uk] 
Verzonden: Monday, January 06, 2003 7:14 PM
Aan: focus-ids () securityfocus com; ids () mailman vet com au
Onderwerp: IDS Common Criteria

Hi all

Sorry about cross posting this on the SF and Australian IDS list

I received a marketing post this morning from Intrusion Inc saying that
their SecureNetPro is the only IDS to have passed Common Criteria
Certification, I was under the impression that another IDS vendor (ISS)
had
already achieved similar.  Is there a RealSecure fan out there that
could
confirm this ?

Outside Government and Military circles where I can see Common Criteria
Certification being extremely useful,  how valuable is it, ie within the
financial sector etc ?  More importantly what are it's failings?

take care
-andy
Taliskers Network Security Tools
http://www.networkintrusion.co.uk