SUSE/IBM, Red Hat/Oracle Tool Up On CCS Security
CCS or Bust?
Backed by big name partners, SUSE Linux and Red Hat are each putting their security systems through the rigorous paces of Common Criteria Scheme (CCS) testing, with ultimate plans to reach the same security ratings already achieved by Microsoft and Unix players.
The Common Criteria stamp of approval "reduces the investment risk and also provides more trust" in Linux, according to Roman Drahtmueller, a member of SUSE�s security team.
Over a live videoconferencing link from Germany, Drahtmueller told attendees at the recent InfoSecurity conference in New York City that SUSE is "number one" among Linux distributors now being evaluated under the Common Criteria for Information Technology Security Evaluation (CC 2.1).
Drahtmueller added, though, that SUSE is also "grateful that we can contribute together with Red Hat" under the Common Criteria umbrella.
The CCS is aimed at providing IT customers with impartial security assessments of products. Evaluations are conducted by independent labs. In conjunction with Oracle, Red Hat announced plans last February to submit Linux Advanced Server for a Common Criteria ranking at Evaluation Assurance Level (EAL) 2. The initial Red Hat/Oracle evaluation is still under way, Drahtmueller noted. Together with its partner IBM, though, SUSE attained EAL2+ certification in July. The platform already certified under Common Criteria consists of SUSE Linux Enterprise Server (SLES) 8 running on IBM eServer xSeries. Also last July, IBM and SUSE announced that they expected to reach EAL3+ certification by the end of this year for SUSE Linux running "across the eServer product line."
Drahtmueller, however, said during the recent videoconference that SUSE and IBM are now eyeing the first quarter of 2004 for completion of EAL3+ evaluation.
The EAL3+ evaluation adds IA32 PowerPC and S/390 products from IBM to the hardware testing mix. The testing is being done using Controlled Access Protection Profile (CAPP), a standardized security target developed by the National Standards Association (NSA). IBM has also been submitting many of its software products for evaluation.
Meanwhile, the Red Hat and SUSE contingents have each announced their intentions to reach security certification at EAL4, the same level already accorded to both Windows 2000 Server and Unix platforms.
The vendors� work toward EAL certification is being driven by the needs of government customers around the world, according to Ed Reed, who is security tzar at Novell, a company now in the process of acquiring SUSE. Dozens of governments around the world use the CCS ratings, Reed said in a recent interview.
During the live videoconference from Germany, Drahtmueller maintained that Linux security is not particularly "easy to compare," because it consists of many distributions with "thousands of packages."
Drahtmueller also applauded the Common Criteria Scheme, however, for promoting easier deployment of security, as well as better "transparency and inspectability of code."
SUSE�s work toward Common Criteria evaluation ranges across areas that include "hardware, software, distributors� processes and procedures, lifecycle management, and content management," for example, according to Drahtmueller. SUSE has been fixing bugs and "tracking every piece of software."
Later in 2004, SUSE and IBM will be "increasing the evaluation level to [EAL]4 or higher," Drahtmueller said.
According to materials posted on Red Hat�s Web site, Oracle plans to submit its 9i Database Release 2 running on Linux for evaluation at EAL4.