As some of you already know, Citrix  have sponsored XenServer, XenDesktop, XenApp, and Netscaler into  the Common Criteria program for Information Technology Security  Evaluation (CC). We have had several questions about the announcement  and what it means for both VMware and XenServer in particular. Since 1  or 2 of us at VMCo were there way-back when Common Criteria & ITSEC  first started seeing mainstream  IT products submitted for evaluation, we thought we would take this  chance to answer some of your questions in this posting.
What is Common Criteria (CC)?
CC is an attempt to reduce duplication of effort of the IT security  evaluation functions of several governments (6 in all). CC is an international  standard that describes how product vendors may make claims about  their security software or hardware, and have independent laboratories  investigate these claims and certify the product has been designed and  built in a way that meets the vendors claims and can be relied upon to  function as described.
What is EAL?
Within CC, products are examined to an Evaluation Assurance Level (EAL).  EALs are numbered currently from 1 to 7, with 7 being the most  detailed, most stringent level of scrutiny that a product is put under.  VMware ESX and ESXi 3.5 were certified to EAL4+ in February 2010. Citrix  have submitted their products for the EAL2 process this month.
So An EAL4 Product Is More Secure Than An EAL2 Product?
No. This is probably the most common misconception about CC. A higher  EAL number means only that the product passed a deeper level of scrutiny  of the vendor's claims. For example, I might have a simple weak encryption  application that passes EAL7, because it was found to meet my claims  without fault, and its design and execution was found to be exemplary  even when "put under the microscope" of EAL7. A much stronger encryption  application, that would protect my data better using a strong  algorithm, might only be submitted for EAL2, because I want to get some  kind of basic certification quickly so I can sell to my government  customers. There are also a number of misconceptions around how vendor  claims are tested. In our experience, code review is only done at EAL 6  or 7 for example.
What Claims Might A Vendor Make?
The scheme allows for vendors to tailor their claims based upon their  product and the way it is to be used. This means that a Firewall is not  subject to the same investigation as an Email system or a Desktop OS. A  vendor with a Firewall might claim that in order to administer the  device you must pass 2-factor authentication, and can only do so over a  strongly encrypted  connection, and that there are no other possible way  of gaining admin access. Such a claim would be investigated to the  required depth as part of the CC certification. Another example of a  popular claim might be "the admins can't automatically read everyones  Email". CC tests these claims are true to a certain depth. Documentation  is a vital part of passing an evaluation.
Does It Matter What Version Gets Certified?
Yes. It matters very much. Just because version 1 of a product received  certification, it doesn't mean that v2 or even v1.0.1 is certified. The  product must be resubmitted into the evaluation process for it to be  re-assessed. This is because CC evaluates vendors claims for a given  version and even a given configuration of the product. It is normal for a  product to be obsolete by the time it passes certification. You could  argue this is made worse by the pace of change in commercial software,  with many companies pushed to make 1 major release per year and 2  functionality patches, alongside the 4 critical security related  hotfixes, all of which take a product outside its certified condition.
How Long Does It Take?
For product of similar size/complexity, the higher the level of  assurance the longer the evaluation takes. Expect to see an XenServer  (we presume v5.0 or v5.5) certified within the next 6 months. A CC  certification can be an expensive business, in our experience of the  process (mainly CheckPoint-FW1 and Harris  CyberGuard) the cost is £200K-£400K.
Who Cares If A Product Is Certified?
Mostly it is government buyers or those who have to work closely with  government agencies, exchanging information with them, or connecting  directly to them. Often such customers are restricted to choosing  products from the catalogue of evaluated solutions. However, depending  on the sensitivity of the information being handled by the IT, an EAL  certified may not even be required.
Where Can I Find Out More?
As ever, Wikipedia  is a good start.
Check the Portal for  certified products.
Saturday, 1 May 2010
Citrix XenServer & VMware ESX Common Criteria Certification
Labels:
citrix,
EAL4,
governement,
virtual machine company,
vmware,
xenserver
Subscribe to:
Post Comments (Atom)
 
 
No comments:
Post a Comment