Red Hat is pushing to have its commercial Enterprise Linux software certified under the Common Criteria (CC) Scheme worldwide, and has anticipated the OS solution will gain accreditation by the end of this year.
The CC Scheme is designed to test and provide independent, impartial assessments of IT products. CC security evaluations are based on an analysis and test of the IT product to judge its conformance to specified IT security requirements nominated by participants in the CC scheme.
The certification of Red Hat’s software is currently being conducted on behalf of the UK government’s Communications-Electronics Security Group, which is aligned with the international Common Criteria program. Red Hat initially submitted Enterprise Linux 3 for evaluation in February this year.
The evaluation is being undertaken on Red Hat Enterprise Linux version 3 running on specified Dell and Hewlett-Packard hardware platforms. This solution encompasses Linux Advanced Server (for large departmental servers), Enterprise Server (for medium-scale deployments) and WorkStation (for desktop/client applications).
Once successfully certified in the UK, Red Hat products will be recognised as certified and approved by information security agencies from all 19 countries participating in the Common Criteria program. The members are Australia, New Zealand, the US, Canada, Spain, Germany, Greece, The Netherlands, France, Hungary, Austria, Italy, Turkey, Norway, Finland, Sweden, Israel and Japan.
“Once done, the certification would carry the same weight in Australia as if the certification testing were performed here,” chief technology architect for Red Hat South Asia-Pacific region Richard Keech said.
In Australia, the Defence Signals Directorate (DSD) instigates software testing and provides the Australian Government and Defence Force with details on certified software found to have an appropriate level of information security through its Evaluated Products List (EPL). Products currently featured on the EPL range from network security products by Cisco Systems, Tenix Defence Systems and SecureNet, to smartcard and public key technologies, as well as operating systems from HP, Sun and IBM.
If approved, Red Hat Enterprise Linux 3 would sit alongside versions of Sun Solaris, HP-UX and IBM’s AIX operating system.
Keen to ensure its operating system meets the security requirements of government agencies and departments globally, Red Hat has submitted Red Hat Enterprise Linux 3 for Common Criteria evaluation at assurance level (EAL) 2. EALs range from 1 to 7, with the highest numbers representing a greater level of assurance.
Although EAL 2 is a fairly low rating on the scale, Keech said it is an “appropriate first step”.
“We expect EAL 2 will be sufficient to give government users an initial level of confidence in Red Hat's products,” he said.
Keech added users can expect to see higher-level certifications for Red Hat solutions “in time”.
To aid getting its product through the certification process, Red Hat has struck up a relationship with database giant Oracle.
According to Keech, the collaborative effort with Oracle was prompted by the vendor’s prior experience in the area of CC certification, as well as its mutual interest in having Red Hat products certified.
Alongside its decision to support Red Hat’s Enterprise Linux version 3 certification process, Oracle announced in February that it would submit Oracle9i database release 2 on the Linux operating system to the CC Scheme for an EAL 4 level evaluation. EAL 4 represents the highest level generally achieved by commercial software vendors.
Once approved, the Oracle9i database will comply with the US government's equivalent security policy directive, which requires independent security evaluations for products used in national security systems.