You may have heard of this before. You may have heard something like the Windows 2000 operating system has achieved Common Criteria certification at Evaluation Assurance level 4 (EAL-4). The question is, do you know what this means, what it means to your organization or in the world of security? In this article we will explain what the Common Criteria Certification is and what the EAL levels are, why they are important and broaden you horizons in yet another area of systems security. In Part II of this article set we will look at how it directly relates to the Windows product lines (XP, 2000, 2003) and why its important to know and understand.
"For a complete guide to security, check out 'Security+ Study Guide and DVD Training System' from Amazon.com"
What is the Common Criteria Certification?
As Security Analysts, we are always compelled to produce only high quality code (if we are coders), or highly secured networks that still function in a business environment. If you think about it, all infrastructure devices runs some form of 'code' so basically, it's important to produce high quality code. Why did I not say, 'highly secure' code? Well, if code was of high quality (going through a strict QA -quality assurance- process) then we would not have 'exploits' of that code on a daily basis. Writing high quality code is really what stops 90% of the flaws in computer systems and the holes in which tons of virus's exploit yearly. So, in turn since everything revolves around 'money', its imperative to be 'first to market' - so, there you have it - catch-22. The Common Criteria Certification (much like ICSA labs for most Firewall products today), is a certification earned to 'prove' that a product such as Microsoft Windows 2000 is 'certifiably' tested and proven safe at a certain level. Scary enough, many products miss this certification for not passing its standards. The standards if you will are the EAL levels which we will discuss later in this article.
Remember, Security starts with solid software programming, good quality code. Then, the 'testing' of that code is what implies its safety. As well, once you create good quality software, you have to be aware that it needs to continue to be evaluated to maintain that status which means that it's important to have a support system in place to 'fix' what become broke through trial and error. That means, Joe is sitting at home and installed some weird 16-bit program that wasn't tested by the vendor selling the software and whalla - a security vulnerability is born for whatever reason. That reason could be that it overwrote something and that created a problem. The software vendor now needs to follow up on the problem and if widespread enough, create a 'hotfix' to solve the problem. All this means is that the software vendor probably replaced a few program files with newer versions that aren't exploitable by that last problem, whatever it may be. Not to sound ridiculous here, but this is really the roots of what this certification means. To keep selling code, its probably wise to show the world it has been rigorously tested and proven safe by a third party not directly tied to the pocketbooks of the software vendor company... thus - common criteria certification is born.
Is Windows Server 2003 certified?
Well, no. Since this is a 'Windows' security site, I will say here and now that Windows 2000 has been certified by the Common Criteria Certification. It is a fact that Windows Server 2003 has not yet been certified, but not that it doesn't rate the certification or failed it by any means; the certification process takes years and it hasn't been completed as of yet. There is a link I placed at the end of this article to show the link on Microsoft.com that shows this information. Eventually it will complete testing (which sometimes lasts years as it is so rigorous) and be certified as well.
Now, that you have a clear picture of why this certification exists, let's get to the technical mumbo-jumbo. The Common Criteria is an international standard ratified in 1999. This standard now replaces an older standard which if you remember from your NT 4.0 days... is the C2.
What is C2?
The rating 'C2' is a rate given by the NCSC. The National Computer Security Center (or NCSC) evaluates the products against the DoD (Department of Defense) TCSEC which stands for 'Trusted Computer System Evaluation Criteria'. That C2 rating is found in the Orange Book (named this because it has an orange cover). C2 rating is much like the Common Criteria Certification - it's a set of testable standards that a product needs to be verified against to prove its worth. C2 was the old way, Common Criteria Certification is the new way.
It should be noted that the Orange Book evaluates standalone systems only; it does not evaluate the client to the server security and should be noted. The Red book extends coverage to networked systems, not just standalone systems.
Since the Common Criteria is multinational, then that means worldwide use of a certified product should equal more safety, more security for the customers using the product. This doesn't mean that because you have the software incorrectly configured that it's the vendor's problem - that's your problem. If you were completely unable to stop something because your product was defective, then it's the vendor's problem.
Now that we understand the Common Criteria, les look at the EAL levels. The Common Criteria specify a series of Evaluation Assurance Levels (EALs) for products that are under evaluation, such as Windows Server 2003.
Understanding EAL Levels
With the Common Criteria, EAL levels are quite simply used to show 'strength'
A higher EAL certification ultimately specifies a higher level of confidence that a vendors products are working well, and able to be secure. Not a small task these days.
Windows 2000 is certified...
Like I mentioned before, Windows 2000 achieved the certification. Testing for Microsoft Windows 2000 was completed not too long ago and was awarded EAL 4 + Flaw Remediation. This assures that you are getting a well tested product.
EAL's (or Evaluation Assurance Levels) are just that... levels that must be achieved by the product under evaluation. The EAL's are based on a very simple thought - the degree of flexibility and use of a system as well as the level of security assurance provided with that level of use. The 'EAL' is the definition of how that particular system was tested. This is a great thing, a product that works as advertised: Flexible and Secure.
You have seven EALs. EAL 1 is the lowest, EAL 7 is the highest. You can check current levels and listings at the sites provided at the end of this article. The level defines the level of assurance.
Evaluation Assurance Levels
EAL 1 covers the lowest and most basic of certifiable evaluation assurance. This rating surprisingly enough only covers 'functionality' of a product, not necessarily its security. As a matter of fact, this EAL rating means that the system will work in a production environment (it's functional), but no security is tested on the system to achieve a EAL 1 rating.
EAL 2 covers the next step in the rating system. Remember, the higher the rating, the more secure the system. It's important to understand that this rating only implies that the code was reviewed by a looser set of standards than you would see in the next level EAL 3. Basically, with EAL 2, security mechanisms are now checked but moderately. This means that the code is checked but not as strictly as in level 3.
EAL 3 becomes more strict, but again - no re-engineering of the code is done, the development process is not interrupted, EAL 3 can be achieved, but its still loose, not like 4 where costs are now involved to 'fix' what needs to be fixed to achieve a higher more stringent rating.
EAL 4 (Windows 2000, NetWare, some Unix deployments) is the most common EAL level you will likely see. This is because it's the first level that proves out that a system is safe, as the vendor was willing to 'fix' problems in the development process of the product to achieve this rating. EAL 4 incurs cost to the vendor, re-engineering is possible if flaws are found.
EAL 5 is a higher level than four - not moderate at all, it's a very strict process. EAL 5 would not be needed (the cost is higher, the time spent longer) to prove out what EAL 4 could.
EAL 6 is different in that it applies specifically to clients requesting it being in very high risk situations that would warrant the additional time and costs of the certification. EAL 6 means that the systems development is based on security... the system must be secure.
EAL 7 is only used in extreme high risk systems that cannot be exploitable - again the time spent longer and the cost of the assurance higher. The use of this level is limited to very specific systems with very specific security functionality.
Note: Another set of levels from the ITSEC can be found at the end of this article.
In this article we covered why you should know and understand the Common Criteria Certification and how it directly reflects against Windows products. In Part II, we will cover the Windows 2000 certification and other Microsoft Products that have been certified and why its important to you, the Security Analyst.
References and Links:
Microsoft.com site common criteria
Common Criteria Websites
Common Criteria Scheme