On Wed, 18 May 2005 08:25:32 PDT, Nora Barrera said: > Does anybody understand what is really tested during > an evaluation, or is it just bullshit? Ask the vendor for a copy of the evaluation report. http://csrc.nist.gov/cc/ The *important* part you want to find is the 'Protection Profile' that it was evaluated against - this replaces the old C1/C2/B1/B2/A levels in the old DOD Orange Book. Note *very* carefully this change from Orange Book: There are *two* components - the Protection Profile (how much stuff the system is designed to protect) and the EAL (evaluation assurance profile) (how good/ thorough a job the system does). So it's possible to get a very high rating on a not-very-protective profile (and in fact, many vendors have done this). http://niap.nist.gov/cc-scheme/pp/index.html has a list of profiles. Note that the EAL and PP interact - a CAPP (Controlled Access) evaluated at EAL4 may actually provide less *real* protection than an LSPP (Labeled System) evaluated to EAL3 - the EAL4 just means they've done more work to prove the *provided* security works as advertised. The NSA reportedly did an EAL7 light switch. They did a *LOT* of work proving there was no possible way to subvert any of the security mechanisms the light switch provided. :) (And yes, many vendors went for an EAL4 on a lower protection profile instead of an EAL3 on a profile that required more features - don't let Microsoft, IBM, Suse, or *anybody* brag up that EAL4 till they tell you what profile it was aginst ;)
Attachment:
pgpne8KCF3COk.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/