AW: [IDS] IDS Common Criteria

[detmar.liesen () lds nrw de]

FTWAI: (for those who are interested):
Europe has a pendant to CC - the Information Technology Security Evaluation
Criteria (ITSEC), which has adopted several thoughts of the Orange Book of CC
but is more flexible. In Germany the BSI (www.bsi.de) is the public authority
for ITSEC certifications.

BTW: I have once tried to read the orange book but I gave up on the 12th page or
so.
This experience was very traumatic for me (shudder).
> 8)

However, for stuff like b2b, even private companies nowadays tend to prefer
E3/high certified products.

As most of you probably know, in the US and in Germany (I don't know about the
others) it's compulsory to protect your business - and thus your
it-infrastructure as well - from known threats that could bankrupt you (for
those who want to know, I am talking about the German KonTrag act and it's
consequences).

If you have a security concept and your infrastructure is certified E3/high, you
have solid proof that you have taken adequate measures for protecting your
business and this protects you (as a business owner or executive) from being
charged for serious negligence if this is the right term in english.
:)
Of course, E3/high certified products do not protect you from harm if your
security concept does not include audits and assessment that are performed on a
regular term.

For government security-infrastructure such as firewalls, E3/high is compulsory
anyway.

Just my 2 Cents
;)

Cheers,
Detmar Liesen



 -----Ursprüngliche Nachricht-----
Von:    Randy Taylor [mailto:gnu () charm net] 
Gesendet:       Mittwoch, 8. Januar 2003 00:50
An:     Talisker; focus-ids () securityfocus com; ids () mailman vet com au
Betreff:        Re: [IDS] IDS Common Criteria


At 11:00 PM 1/7/2003 +0000, Talisker wrote:
> Sadly within the public sector installing an IDS isn't merely a question of
> having sufficient resources to achieve the objective, there are also a
> plethora of political and accreditation issues to overcome.  CC can help to
> surmount many of the bureaucratic mountains that lie in the way.
> I don't agree with it, but it's a fact of life,  I can't see another way
> until common sense prevails.  Unfortunately public sector and common sense
> rarely walk hand in hand.

You've hit the hidden nail pretty close to its head. The U.S Government
public sector now requires significant Certification and Accreditation (C&A)
efforts for any new infrastructure being stood up and it is in the process
of introducing C&A into existing infrastructure. CC product certifications
are an integral part of the C&A process now, and they're not going away.
The U.S. Military has been doing C&A on their critical infrastructure for 
as long
as I can remember. The point is that post 9/11 pretty much -everything- in the
U.S. .gov and .mil network domains is being identified as critical 
infrastructure.

 From the outside-in view, CC and it's C&A parent are bureaucratic at best
and Byzantine at worst. In the projects I'm involved with these days,
I spend as much time on C&A issues as I do on technical issues. I'm
seeing the process from the inside. It does get mind-bogglingly complex
sometimes, and everyone I know that's involved relieves the pressure with
an occasional witty rant or two. My previous humorous comments aside
though, C&A has identified weakness in infrastructure that would have
escaped detection otherwise. C&A has this annoying habit of working.

Sure, the overall process can be improved, and I'm sure it will - but it does
what it's supposed to do now. From a structural security perspective, C&A
is essential. I wouldn't be surprised to see the commercial sector adopt
C&A processes and demand CC certs in the next year or two.


> just my 2c
>
> take care
> -andy

8)

Randy