Wednesday, September 28, 2005

Thoughts on EAL7 Rating

I read in the story Network appliance to get highest-ever security rating by Michael Arnone about the EAL7 Evaluation Assurance Rating achieved by the Tenix Datagate. An EAL7 system bears these qualities:

"Formally Verified Design and Tested. The formal model is supplemented by a formal presentation of the functional specification and high level design showing correspondence. Evidence of developer "white box" testing and complete independent confirmation of developer test results are required. Complexity of the design must be minimised."

My last post mentioned an introductory article on the Common Criteria, and I found an exceptional quote in that piece about EALs. Write Alex Ragen says:

"EAL is the level of confidence achieved by the TOE [Target of Evaluation, a product], and is a function of the SARs [Security Assurance Requirements] with which the TOE complies...

EALs refer to the level of confidence in the conclusions of the evaluation, and not to the level of secrity the product provides. In other words, you can have more confidence that a EAL4 product performs as advertised than an EAL2 product... But an EAL4 product will not necessarily provide more security."

This is an incredible insight. I guarantee I will encounter government managers who hunt for high EAL products because they think they provide "more security."

This is what the Tenix product does:

"Placed at each connection between unclassified and classified servers, Data Diode permits only one-way transmission of data from unclassified to classified networks."

According to Michael Arnone's article: "A senior technical consultant at Tenix said 'it’s physically impossible for data to go back the other way,' which ensures unparalleled security."

Oh boy, that sounds like a challenge! The main barrier to breaking that claim is getting equipment into the right hands.

I found the Tenix product listed on the NIAP in evaluation page and on the validated product page. The lab which tested the product is COACT. Here is the Tenix press release.


John Ward said...

For some reason... it reminds me of the guarantee scene from Tommy Boy..

Tommy: Here's how I see it. A guy puts a guarantee on the box 'cause he wants you to fell all warm and toasty inside.
Ted: Yeah, makes a man feel good.
Tommy: 'Course it does. Ya think if you leave that box under your pillow at night, the Guarantee Fairy might come by and leave a quarter.
Ted: What's your point?
Tommy: The point is, how do you know the Guarantee Fairy isn't a crazy glue sniffer? "Building model airplanes" says the little fairy, but we're not buying it. Next thing you know, there's money missing off the dresser and your daughter's knocked up, I seen it a hundred times.

Interesting choice of names, the Data Diode. Lets just hope that Data Diode isn't of the Zener type... Supposedly the NSA evaluates all products rated at EAL4 and above. Id be interested to see what exactly is evaluated and how.

Ipslore said...

The KVM mentioned in the linked-to article would be nice to have. But the hoopla over the network appliance seems a bit much.

If the only requirement is to accept traffic up and block traffic down, for my money, I'd buy three fiber transceivers configured as:

* Low-side transmit goes to high-side receive.
* Low-side receive goes to dummy 3rd transceiver's transmit.
* Apply epoxy to dummy-receive and high-side transmit.
* Turn off low-side's far-end fault.
* Require traffic crossing this point to be connectionless.

Abracadabra: physically impossible for data to go back.

Anonymous said...

One other item top consider is what TOE was used for the evaluation. If the TOE doesn't encompass your entire threat environment it can be rated EAL 99 and still not protect you.

Strangelove said...

"Data diodes" are not new ->

The above type is basically a link level (ethernet) diode. There is no reverse data flow. Data from public newtorwks are fetched from the public side (web, maillist, etc) and transfered to software in the classifed side that make it readble.

Richard Bejtlich said...

I did not imply these were new devices. So-called "guards" have been used on DoD networks for decades.

John Ward said...

I think he was refering to my comment questioning the name "Data Diode" since thats a new one on me.

At first I was questioning the validity of that claim, after all if it is a true diode, it would only allow flow in one direction. How would a TCP handshake occur, not to mention a full session? I was also wondering how it would do that, either software or hardware, so in my mind I was picturing an array of diodes for each line of the data flow.

I found my answer at, or at least 1 description of how one vendor accomplished it. This particular vendors product is only an EAL2, but at least it explains the basic idea.