home
NEWS       BLOGS       FORUMS       NEWSLETTERS       RESEARCH       EVENTS       DIGITAL LIBRARY       CAREERS  
Network Computing Network Computing Powered by InformationWeek Business Technology Network

IMMERSE YOURSELF:

SOA

  |

Data Center

  |

802.11n

  |

Data Privacy

  |		 APO  |

Virtualization

  |

NAC

  |

Security

  |

Network Mgmt

  |

Enterprise Apps

  |

Storage & Servers



 
NetNews
N E W S / A N A L Y S I S  


Security Certification for SuSE: No Big Deal

  August 21, 2003
  By Mike Fratto


TOC Issue TOC
Printer Print full article
Printer Download as PDF
E-Mail E-Mail this URL
Discuss Discuss this article
flame author Flame the author

SuSE has become the first Linux developer to receive a particular OS security certification that is internationally recognized and vital for selling to the U.S. and several European governments. This was hailed by some as a big score not only for SuSE but for all Linux distros.

But the certification has no value for Linux at large. It applies to only one version of SuSE's product, specifically the SuSE Linux Enterprise Server 8, with the certification-sles-eal2. rpm installation package. This is true of all certifications under Common Criteria, an agreement among many nations to unify security certification standards. Common Criteria certifications apply only to specific product versions with established configurations (see "Certification Security Blanket").

Linux Enterprise Server was certified at Evaluated Assurance Level 2+ out of 7 levels. This means the product has been tested only according to a vendor-defined configuration; the vendor has furnished documentation that it has performed a vulnerability analysis against known vulnerabilities; and the vendor has supplied, and the testing firm analyzed, documentation on the configuration and operation of a subset of system features.

What's more, the EAL2+ certification is limited to a fixed configuration and is focused on nonhostile environments like a protected data center. On a SuSE Linux Enterprise Server configured according to EAL2+, the only network services allowed are SSH and FTP. More important, the cryptographic features of OpenSSH were not evaluated because such testing would have taken too long. Other common services--like HTTP, DNS and SMTP running on their standard ports--are not part of the feature sets, further reducing the importance and usefulness of the EAL2+ configuration.

Each Linux distribution has its own programs and configuration files and, often different kernel modifications. So while Common Criteria certification is a somewhat positive milestone for SuSE, the other Linux distributions will have to step up for their own.

Post a comment or question on this story.







Ready to take that job and shove it?

Function:

Keyword(s):

State:
SPONSOR
RECENT JOB POSTINGS
CAREER NEWS
10 Search Engines You Don't Know About
Go beyond Google and get vertical. These specialized search sites will help you find the business information you need -- fast.

Yahoo Profits Fall 23%, Cuts 1,000 Jobs
Ari Balogh was named to the post of chief technology officer as the companys for a "realignment" of employees.

More articles from our career center










InformationWeek U.S. IT Salary Survey 2008
Salaries for business technology professionals are falling. Here's what you need to know in order to make good hiring decisions and personal career choices. Download Today
 
ROLLING RIGHT ALONG
Follow key Network Computing Reviews from conception to completion. This Week: Holistic APM.



Network Computing Reports Emerging Enterprise Podcast Series: Secrets to Success








TechSearch
Microsite of the Week


Powerful Information at Your Fingertips



InformationWeek Business Technology Network
InformationWeekInformationWeek 500InformationWeek 500 ConferenceInformationWeek AnalyticsInformationWeek CIO
InformationWeek EventsInformationWeek ReportsInformationWeek MagazinebMightyByte and SwitchDark Reading
Digital LibraryIntelligent EnterpriseInternet EvolutionNetwork ComputingNo JitterPlug Into The Cloud
space
Techweb Events Network
InteropVoiceConWeb 2.0 ExpoWeb 2.0 SummitEnterprise 2.0 ConferenceMobile Business ExpoSoftware ConferenceCSI - Computer Security Institute
Black HatGTECEnergy CampMashup CampStartup Camp
space
Light Reading Communications Network
Light ReadingLight Reading EuropeUnstrungLight Reading's Cable Digital NewsConstantinopleInternet EvolutionPyramid Research
Heavy ReadingLight Reading Live!Light Reading InsiderEthernet ExpoOptical ExpoTeleco TVTower Technology Summit
space
Financial Technology Network
Advanced TradingBank Systems & TechnologyInsurance & TechnologyWall Street & TechnologyAccelerating Wall StreetBank Systems & Technology Executive SummitBuyside Trading SummitInsurance & Technology Executive Summit
space
Microsoft Technology Network
MSDN MagazineTechNetThe Architecture Journal
space


App Infrastructure   |   Messaging & Collaboration   |   Network & Systems Mgmt   |   Network Infrastructure   |   Security  |   Storage & Servers   |   Wireless   |   Enterprise Apps
About Us  |  Contact Us  |  Site Map  |  Technology Marketing Solutions  |  Advertising Contacts  |   Briefing Centers
Copyright © 2008  United Business Media LLC  |  Privacy Statement  |  Terms of Service  |  Your California Privacy Rights