Vulnerability Assessment of a EAL 4 system - Setup

This is a discussion on Vulnerability Assessment of a EAL 4 system - Setup ; I am looking at a Linux server which has been accredited as a EAL4 system by IBM. During the assessment, I was looking for standard Linux protections like iptables, ssh etc. On this server, there is no iptables. Regardless, I ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: Vulnerability Assessment of a EAL 4 system

  1. Vulnerability Assessment of a EAL 4 system

    I am looking at a Linux server which has been accredited as a EAL4
    system by IBM. During the assessment, I was looking for standard Linux
    protections like iptables, ssh etc. On this server, there is no iptables.

    Regardless, I would like to know how to evaluate a EAL 4 system. What
    do you need to look for in the EAL 4 system in production that could
    become vulnerable?

    Thank you in advance for any help.

    N J

  2. Re: Vulnerability Assessment of a EAL 4 system

    Neil Jones writes:
    > I am looking at a Linux server which has been accredited as a EAL4
    > system by IBM. During the assessment, I was looking for standard Linux
    > protections like iptables, ssh etc. On this server, there is no iptables.
    >
    > Regardless, I would like to know how to evaluate a EAL 4 system. What
    > do you need to look for in the EAL 4 system in production that could
    > become vulnerable?


    orange book like stuff ... sort of assumed that everything was a
    general purpose computer and had to have provisions to handle
    everything that a general purpose computer might encountered
    (including various kinds of multi-user sharing). there was somewhat
    generalized criteria that things were evaluated against.

    i've somewhat characterized the change over to common criteria ... as
    recognizing that not everything is a general purpuse computer
    (including multi-user sharing) ... and so there are all sorts of
    provisions in common criteria for specifying the "protection profile"
    against which something will be evaluated.

    there are some general stuff about what kinds of things that need to
    be in a "protection profile" for different evaluation levels ... but
    without the specific protection profile ... you have no real idea what
    specific evaluation has been performed.

    it is possible that there couled be security things that you might be
    interested in doing ... that just weren't considered or included in
    the protection profile used for the evaluation.

    obstensibly one of the purposes of evaluation was so you could compare
    the evaluation levels of two similar products and use the evaluation
    to help in the choice ... under the assumption that using the same
    protection profile would result in comparable evaluations. However, a
    couple years ago, there was a statement that of the 64 some
    evaluations that had been performed at that time, something like sixty
    of the evaluations had non-public deviations from published protection
    profile (making it difficult to use evaluations as part of comparing
    similar products)

    National Information Assurance Partnership (NIAP) home page
    http://www.nsa.gov/ia/industry/niap.cfm

    The Common Criteria Evaluation and Validation Scheme
    http://niap.bahialab.com/cc-scheme/

    Common Criteria Portal
    http://www.commoncriteriaportal.org/

    List of Protection Profiles (against which evaluation are performed)
    http://www.commoncriteriaportal.org/...dex.php?menu=5

    under operating systems in the above ... there is

    "Multi-level Operating Systems in Medium Robustness Environments PP" protection
    profile (at EAL4+)
    http://www.commoncriteriaportal.org/...P-MR_V1.22.pdf

    "Multi-level Operating Systems in Medium Robustness Environments" certification
    report (at EAL4+)
    http://www.commoncriteriaportal.org/..._VID204-VR.pdf

    then there is

    "Single-level Operating Systems in Medium Robustness PP" protection profile
    (at EAL4+)
    http://www.commoncriteriaportal.org/...P-MR_V1.22.pdf

    "Single-level Operating Systems in Medium Robustness PP" certification report
    (at EAL4+)
    http://www.commoncriteriaportal.org/...s/PP_VID203-VR


    whole lot of past posts mentioning risk, fraud, exploits, and vulnerabilities
    http://www.garlic.com/~lynn/subintegrity.html#fraud

    and some number of past posts mentioning assurance
    http://www.garlic.com/~lynn/subintegrity.html#assurance


  3. Re: Vulnerability Assessment of a EAL 4 system

    Anne & Lynn Wheeler wrote:
    >
    >>I am looking at a Linux server which has been accredited as a EAL4
    >>system by IBM. During the assessment, I was looking for standard Linux
    >>protections like iptables, ssh etc. On this server, there is no iptables.
    >>
    >>Regardless, I would like to know how to evaluate a EAL 4 system. What
    >>do you need to look for in the EAL 4 system in production that could
    >>become vulnerable?

    >
    >
    > orange book like stuff ... sort of assumed that everything was a
    > general purpose computer and had to have provisions to handle
    > everything that a general purpose computer might encountered
    > (including various kinds of multi-user sharing). there was somewhat
    > generalized criteria that things were evaluated against.
    >
    > i've somewhat characterized the change over to common criteria ... as
    > recognizing that not everything is a general purpuse computer
    > (including multi-user sharing) ... and so there are all sorts of
    > provisions in common criteria for specifying the "protection profile"
    > against which something will be evaluated.
    >
    > there are some general stuff about what kinds of things that need to
    > be in a "protection profile" for different evaluation levels ... but
    > without the specific protection profile ... you have no real idea what
    > specific evaluation has been performed.
    >
    > it is possible that there couled be security things that you might be
    > interested in doing ... that just weren't considered or included in
    > the protection profile used for the evaluation.
    >
    > obstensibly one of the purposes of evaluation was so you could compare
    > the evaluation levels of two similar products and use the evaluation
    > to help in the choice ... under the assumption that using the same
    > protection profile would result in comparable evaluations. However, a
    > couple years ago, there was a statement that of the 64 some
    > evaluations that had been performed at that time, something like sixty
    > of the evaluations had non-public deviations from published protection
    > profile (making it difficult to use evaluations as part of comparing
    > similar products)
    >


    Thank you for replying.

    The system is a EAL4 system (using Common Criteria). Do I need to look
    for the protection profiles on the system? Are there any config files
    that define these protection profiles (PP)?

    N J

  4. Re: Vulnerability Assessment of a EAL 4 system

    Neil Jones wrote:
    > Thank you for replying.
    >
    > The system is a EAL4 system (using Common Criteria). Do I need to look
    > for the protection profiles on the system? Are there any config files
    > that define these protection profiles (PP)?
    >
    > N J


    The Security Target should be available and this would be a good
    starting point as this should tell you how the system meets the
    Protection Profile to which it conforms. As a little aside I wouldn't
    hold that much faith in an CC evaluation to 'prove' that a system is
    secure. CC is criticised for focusing to heavily on paper work and
    process and little on actually uncovering vulnerabilities.

  5. Re: Vulnerability Assessment of a EAL 4 system

    JAB wrote:
    > Neil Jones wrote:
    >> Thank you for replying.
    >>
    >> The system is a EAL4 system (using Common Criteria). Do I need to look
    >> for the protection profiles on the system? Are there any config files
    >> that define these protection profiles (PP)?
    >>
    >> N J

    >
    > The Security Target should be available and this would be a good
    > starting point as this should tell you how the system meets the
    > Protection Profile to which it conforms. As a little aside I wouldn't
    > hold that much faith in an CC evaluation to 'prove' that a system is
    > secure. CC is criticised for focusing to heavily on paper work and
    > process and little on actually uncovering vulnerabilities.


    Exactly. CC is meant to analyze the process, not the product. The CC
    doesn't include debugging. The deepest level of analysis is source code
    review.

    The abbreviations EAL and PP are different sides of the same coin: the
    EAL tells the amount of effort put into compliance, and the PP tells
    what the end result is trying to be compliant with. If you want to know
    something about a product, the PP is more important than the EAL.

    -- Lassi

  6. Re: Vulnerability Assessment of a EAL 4 system

    Lassi Hippeläinen wrote:
    > JAB wrote:
    >> Neil Jones wrote:
    >>> Thank you for replying.
    >>>
    >>> The system is a EAL4 system (using Common Criteria). Do I need to look
    >>> for the protection profiles on the system? Are there any config files
    >>> that define these protection profiles (PP)?
    >>>
    >>> N J

    >>
    >> The Security Target should be available and this would be a good
    >> starting point as this should tell you how the system meets the
    >> Protection Profile to which it conforms. As a little aside I wouldn't
    >> hold that much faith in an CC evaluation to 'prove' that a system is
    >> secure. CC is criticised for focusing to heavily on paper work and
    >> process and little on actually uncovering vulnerabilities.

    >
    > Exactly. CC is meant to analyze the process, not the product. The CC
    > doesn't include debugging. The deepest level of analysis is source code
    > review.
    >
    > The abbreviations EAL and PP are different sides of the same coin: the
    > EAL tells the amount of effort put into compliance, and the PP tells
    > what the end result is trying to be compliant with. If you want to know
    > something about a product, the PP is more important than the EAL.
    >


    If I was to be perfectly honest I would say that CC is a great idea but
    that reality is that it adds almost nothing to the security of a product
    as it is governed by purists that have no understanding of the
    commercial world or more importantly why security vulnerabilities occur.
    The sooner it is ditched in favour of an evaluation scheme that actually
    concentrates on is a product secure the better. Unfortunately the CC
    board seem so entrenched in their own little world so I don't expect any
    changes soon.

+ Reply to Thread