Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: Vulnerability Assessment of a EAL 4 system
From: "Hardwick, Stephen" <shardwick () enpointe com>
Date: Mon, 6 Nov 2006 09:05:08 -0800

Steve,

A couple of comments on your response

EAL stands for Evaluation Assurance level
(http://en.wikipedia.org/wiki/Evaluation_Assurance_Level). In addition
to replacing ITSEC the Common Criteria scheme also replaces TCSEC in the
US. Under the Mutual Recognition Agreement (MRA) CC Certifications are
accepted in many countries in addition to the ones you cited. The above
link also gives some average costs for the testing.

One important step in Common Criteria evaluations not in your list is
the creation and acceptance of a Security Target. This defines the
security properties of the TOE made by the product vendor (normally
referred to as the developer).

In addition to the Common Criteria portal another good reference on CC
is http://en.wikipedia.org/wiki/Common_Criteria 

If you would like more information, I completed a webinar recently on
Common Criteria that gives an overview of the process and costs.
http://enpointe.mmalliance.breezecentral.com/p92705019/

Steve

Steve Armstrong wrote:

Ok, lets look at some terminology first.  

EAL is the European Assurance Level, so it isn't accredited for anything
contrary to what IBM say - they are not an accreditation authority! 
EALS were designed to replace ITSEC (IT Security Evaluation Criteria)
levels adopted by the UK, Germany, France and Netherlands.  The best
reference for EAL material under the CC (Common Criteria) can be found
here http://www.commoncriteriaportal.org/public/expert/index.php?menu=2

However, to conduct an EAL or any assurance is very very very expensive
and not conducted lightly (a complex OS will cost millions!).
Governments and Defence are usually the main customers, but as you do
not understand the process, I doubt you are from these fields.
Therefore, I doubt you have requested a unique testing or installation
to the EAL4 level.  If you have an OS that has been tested and certified
to the EAL level you must compare the TOE (Target of Evaluation) with
you installation as the EAL certification is only valid on the exact
build, patch level and hardware - so pay close attention to detail.  One
of the most important parts of the evaluation is the list of what is in
scope and what is not.  Early MS evaluations of NT4 were actually
against the system being isolated from the network! (this was addressed
by the final eval of NT4 y2k + gina fix version of the ITSEC E3
certification).

I should point out that MS took around 2.5 YEARS to get Win2k certified
to EAL 4.  And in doing so had to release SP2 for Win2k - so you guess
the level of testing and code review necessary.

To answer the second Q: 

The process to evaluating the system is as follows (and be prepared to
sign NDAs):

Get the Target of Evaluation (TOE).
Get the Protection Profiles (PP) that were implemented and tested.
Get the Evaluation report for the tests.
Get the certificate for the system.
Examine the system and see if it is configured the same way.
Record the differences between the PP, TOE, Report and your system :
there will be some.
See if you can live with the differences, as they make the EAL
certification invalid but the system more secure or usable.

Remember however: 

Certification only proves the system CAN be secured to that specific
level, and they are a snap shot at that configuration.  
Systems need patching and this changes the configuration.
The amount of work required so secure the OS as per the certified
configuration is often huge and results in a significantly degraded user
experience.

HTH

Email me direct if you want to know more or ask any direct questions.  

Steve A

---------------------------------------------------------------------

Logically Secure Forum (current home of the Vulnerability Assessment and
Operational Security Testing VAOST methodology)
www.logicallysecure.com/forum

 

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of castellan2004-fd () yahoo com
Sent: 01 November 2006 10:12
To: pen-test () securityfocus com
Subject: Vulnerability Assessment of a EAL 4 system


I am looking at a Linux server which has been accredited as a EAL4
system by IBM.  During the assessment, I was looking for standard Linux
protections like iptables, ssh etc.  On this server, there is no
iptables.

Regardless, I would like to know how to evaluate a EAL
4 system.  What do you need to look for in the EAL 4 system in
production that could become vulnerable?

Thank you in advance for any help.

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016
00000008bOW
------------------------------------------------------------------------


--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.409 / Virus Database: 268.13.28/518 - Release Date:
04/11/2006
 

--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.409 / Virus Database: 268.13.28/518 - Release Date:
04/11/2006
 

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.409 / Virus Database: 268.13.28/518 - Release Date:
04/11/2006
 


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016
00000008bOW
------------------------------------------------------------------------


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]