Through Slashdot I hunted down this story about certain Microsoft products being awarded Common Criteria (CC) Evaluation Assurance Level (EAL) 4 Augmented with ALC_FLR.3 certification. They include:
- Microsoft Windows Server™ 2003, Standard Edition (32-bit version) with Service Pack 1
- Microsoft Windows Server 2003, Enterprise Edition (32-bit and 64-bit versions) with Service Pack 1
- Microsoft Windows Server 2003, Datacenter Edition (32-bit and 64-bit versions) with Service Pack 1
- Microsoft Windows Server 2003 Certificate Server, Certificate Issuing and Management Components (CIMC) (Security Level 3 Protection Profile, Version 1.0)
- Microsoft Windows XP Professional with Service Pack 2
- Microsoft Windows XP Embedded with Service Pack 2
Achieving this certification is important to Microsoft, because of certain laws:
"[E]ffective 1 July 2002... departments and agencies within the Executive Branch shall acquire, for use on national security systems, only those COTS products or cryptographic modules that have been validated with the International Common Criteria for Information Technology Security Evaluation, the National Information Assurance Partnership (NIAP) Common Criteria Evaluation and Validation Scheme (CCEVS), or by the National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) Cryptographic Module Validation Program."
It is important to remember that "EALs refer to the level of confidence in the conclusions of the evaluation, and not to the level of secrity the product provides. In other words, you can have more confidence that a EAL4 product performs as advertised than an EAL2 product... But an EAL4 product will not necessarily provide more security."
What really matters is the Protection Profile used to evaluate the products. I read that "[t]he Microsoft products were evaluated against the Controlled Access Protection Profile," (CAPP) which is available here (.pdf). Here are a few choice excerpts from the CAPP. Where you see "TOE", think "Microsoft system".
- The system does not have to defend itself against physical attacks: "The processing resources of the TOE will be located within controlled access facilities which will prevent unauthorized physical access."
- Sorry, I had to highlight this statement: "There will be one or more competent individuals assigned to manage the TOE and the security of the information it contains."
- The following implies that the evaluated system should not be a publicly accessible server: "Any other systems with which the TOE communicates are assumed to be under the same management control and operate under the same security policy constraints. CAPP-conformant TOEs are applicable to networked or distributed environments only if the entire network operates under the same constraints and resides within a single management domain."
If you continue reading the document, you'll find a great deal of requirements for keeping audit records, authorizing users, vendor-provided documentation, and so forth. This is probably not what people first imagine when they think of "secure" products.
Keep these assumptions in mind when you consider the importance of Microsoft products achieving EAL-4 certification.
Update: You can download the Windows XP / Server 2003 Common Criteria Evaluation Technical Report in .zip format.
0 komentar:
Posting Komentar