tag:blogger.com,1999:blog-4088979.post113486682997196414..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Thoughts on Recent Microsoft Common Criteria NewsRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger6125tag:blogger.com,1999:blog-4088979.post-1135014056824238362005-12-19T12:40:00.000-05:002005-12-19T12:40:00.000-05:00A few comments on a previous post:Re: (anon) Commo...A few comments on a previous post:<BR/><BR/>Re: (anon) <I>Common Criteria is a sales tool for IT companies to peddle products and services to Government; nothing more, nothing less.</I> <BR/><BR/>Common Criteria is much more. In addition to being a sales/marketplace discriminator, Common Criteria is an evaluation methodology that can help product vendors improve their SDLC (including design, documentation, testing, etc.). <BR/><BR/>Moreover, Common Criteria evaluation is a requirement for IA and IA-enabled products sold into the US Federal and Global governments. The US has horizontal policies for procuring only products that meet Common Criteria, and certain agencies have vertical requirements that are more detailed (e.g., requiring adherence to a Protection Profile). <BR/><BR/><I> The amazing thing is that most of the products do not reach the CC rating 'out of the box'.</I><BR/><BR/>Because of the nature of the CC, it doesn’t necessarily always make sense for a product to be configured for CC out of the box. Of course, it's doable, especially at lower assurance levels. But at higher assurance levels, the CC requires more stringent documentation and assurance measures against the product's functional requirements. The problem is that end users do not always have the same stipulations for functional requirements to be evaluated. Even if the product is shipped in evaluated configuration, the end user will need to configure the product according to their respective systems security policies and postures. Oftentimes this conflicts with the evaluated configuration of the point products, but that's a discussion for another time.<BR/><BR/><I>Companies have to recoup these costs somehow...usually by charging premium rates later...</I><BR/><BR/>This is not the case. I ran the security assurance program for one of the most active product vendors in the FIPS 140/Common Criteria certifications space, and there is little to no room to add cost-recovery mechanisms to certified products. Why? Well, having certification is the ante to sell certain products to Government. Past that, the potential buyer will look at performance, interoperability, and cost. Product vendors can not and do not typically increase costs to products sold to government to recover certification costs because the market (e.g., a competitor) does not. The cost essentially materializes as the 'cost of doing business'.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1135006925431794302005-12-19T10:42:00.000-05:002005-12-19T10:42:00.000-05:00@chrisIt is also *heavily* reliant on the manageme...@chris<BR/><BR/>It is also *heavily* reliant on the management of the company that the system resides in.<BR/><BR/>Management can overrule any administrators insistance to secure the box properly. Of course the administrator can move on to another job, but the box still isn't secure despite a compotent administrator being there.<BR/><BR/>There needs to be policy and procedure in place to *ALLOW* the administrator to properly secure the box (given the environment).<BR/><BR/>This may be why we see so many broken into systems in both the Government and private industry, and the need for such regulations as HIPPA, GLBA, et. al.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1134953919683895212005-12-18T19:58:00.000-05:002005-12-18T19:58:00.000-05:00It's good to see "competent individuals assigned t...It's good to see "competent individuals assigned to manage" in there. That's the biggest problem with security of any system. As much as *nix fan boys bash MS security, when it comes down to it, a well managed Windows server is just as secure as a well managed *nix server in most cases. <BR/><BR/>The security of any server, network device, application, etc. is *heavily* reliant upon the competency of its administrator to ensure the system is secure and stays that way.Chris Buechlerhttps://www.blogger.com/profile/14915136057838042206noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1134928575359212792005-12-18T12:56:00.000-05:002005-12-18T12:56:00.000-05:00Common Criteria is a sales tool for IT companies t...Common Criteria is a sales tool for IT companies to peddle products and services to Government; nothing more, nothing less. The amazing thing is that most of the products do not reach the CC rating 'out of the box'. For example, if a Government user would like Windows XP Professional SP2 to reach EAL4, it sure isn't set up that way following installation. Normally, many separate runs of 'lockdown', registry tweaks, Security Policy configurations, etc. must be done to even attempt reaching the 'clamied' EAL4. After that, try using it as a Workstation ;-). Good luck if you can do word processing with it.<BR/><BR/>Sad to see that Government is still setting itself up for failure by limiting itself to 'NIAP Certified' products. More like 'high priced' goods due to the costs associated with getting an 'EAL 4+' certification. Companies have to recoup these costs somehow...usually by charging premium rates later...Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1134924943888290492005-12-18T11:55:00.000-05:002005-12-18T11:55:00.000-05:00On a similiar thread..., I know that the Sidewinde...On a similiar thread..., I know that the Sidewinder firewall also has achieved an EAL4+ rating:<BR/><BR/><I>"It recently achieved the highest level of EAL4+ Common Criteria certification possible (far stronger than other vendors' EAL4 ratings)."</I><BR/>http://www.securecomputing.com/index.cfm?skey=232<BR/><BR/>The reason I write this is simply in Jan 2006, I start a contract we're I'll be supporting Sidewinder Firewalls. I never heard of Sidewinder before but had heard of the EAL rating from my studies for the CISSP (no..., don't want to start a CISSP thread). Just curious if anyone has any comments on the Sidewinder.<BR/><BR/>Richard - I apologize for going off topic.<BR/><BR/>Thx, Sean CSean Chttps://www.blogger.com/profile/08516364847801916441noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1134875345876552472005-12-17T22:09:00.000-05:002005-12-17T22:09:00.000-05:00Haven't we been through this already? Yes, we have...Haven't we been through this already? <A HREF="http://eros.cs.jhu.edu/~shap/NT-EAL4.html" REL="nofollow">Yes, we have</A>.Anonymousnoreply@blogger.com