RE: Vulnerability Assessment of a EAL 4 system

From: Steve Armstrong (stevearmstrong@logicallysecure.com)
Date: Sun Nov 05 2006 - 12:03:18 EST

• Next message: GomoR: "SinFP 2.04 release, works under Windows"
• Previous message: Michael Scheidell: "RE: Changing Source Port during Penetration Testing?"
• Maybe in reply to: castellan2004-fd@yahoo.com: "Vulnerability Assessment of a EAL 4 system"
• Next in thread: Hardwick, Stephen: "RE: Vulnerability Assessment of a EAL 4 system"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Ok, lets look at some terminology first.

EAL is the European Assurance Level, so it isn't accredited for anything
contrary to what IBM say - they are not an accreditation authority!
EALS were designed to replace ITSEC (IT Security Evaluation Criteria)
levels adopted by the UK, Germany, France and Netherlands. The best
reference for EAL material under the CC (Common Criteria) can be found
here http://www.commoncriteriaportal.org/public/expert/index.php?menu=2

However, to conduct an EAL or any assurance is very very very expensive
and not conducted lightly (a complex OS will cost millions!).
Governments and Defence are usually the main customers, but as you do
not understand the process, I doubt you are from these fields.
Therefore, I doubt you have requested a unique testing or installation
to the EAL4 level. If you have an OS that has been tested and certified
to the EAL level you must compare the TOE (Target of Evaluation) with
you installation as the EAL certification is only valid on the exact
build, patch level and hardware - so pay close attention to detail. One
of the most important parts of the evaluation is the list of what is in
scope and what is not. Early MS evaluations of NT4 were actually
against the system being isolated from the network! (this was addressed
by the final eval of NT4 y2k + gina fix version of the ITSEC E3
certification).

I should point out that MS took around 2.5 YEARS to get Win2k certified
to EAL 4. And in doing so had to release SP2 for Win2k - so you guess
the level of testing and code review necessary.

To answer the second Q:

The process to evaluating the system is as follows (and be prepared to
sign NDAs):

Get the Target of Evaluation (TOE).
Get the Protection Profiles (PP) that were implemented and tested.
Get the Evaluation report for the tests.
Get the certificate for the system.
Examine the system and see if it is configured the same way.
Record the differences between the PP, TOE, Report and your system :
there will be some.
See if you can live with the differences, as they make the EAL
certification invalid but the system more secure or usable.

Remember however:

Certification only proves the system CAN be secured to that specific
level, and they are a snap shot at that configuration.
Systems need patching and this changes the configuration.
The amount of work required so secure the OS as per the certified
configuration is often huge and results in a significantly degraded user
experience.

HTH

Email me direct if you want to know more or ask any direct questions.

Steve A

---------------------------------------------------------------------

Logically Secure Forum (current home of the Vulnerability Assessment and
Operational Security Testing VAOST methodology)
www.logicallysecure.com/forum

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of castellan2004-fd@yahoo.com
Sent: 01 November 2006 10:12
To: pen-test@securityfocus.com
Subject: Vulnerability Assessment of a EAL 4 system

I am looking at a Linux server which has been accredited as a EAL4
system by IBM. During the assessment, I was looking for standard Linux
protections like iptables, ssh etc. On this server, there is no
iptables.

Regardless, I would like to know how to evaluate a EAL
4 system. What do you need to look for in the EAL 4 system in
production that could become vulnerable?

Thank you in advance for any help.

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016
00000008bOW
------------------------------------------------------------------------

--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.409 / Virus Database: 268.13.28/518 - Release Date:
04/11/2006
 
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.409 / Virus Database: 268.13.28/518 - Release Date:
04/11/2006
 
-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.409 / Virus Database: 268.13.28/518 - Release Date:
04/11/2006
 
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

• Next message: GomoR: "SinFP 2.04 release, works under Windows"
• Previous message: Michael Scheidell: "RE: Changing Source Port during Penetration Testing?"
• Maybe in reply to: castellan2004-fd@yahoo.com: "Vulnerability Assessment of a EAL 4 system"
• Next in thread: Hardwick, Stephen: "RE: Vulnerability Assessment of a EAL 4 system"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:18 EDT