When a system is submitted for evaluation against one of the methods that will be described soon, a lengthy process begins which includes tons of paperwork and a full analysis of the system. The examination includes dissecting, at a very fine level, how various components of the system work independently and together. Areas examined include the trusted computing base, access control mechanisms, kernel, reference monitoring, and protection mechanisms.
There are three evaluation methods that will be discussed. These are The Orange Book, the Information Technology Security Evaluation Criteria (ITSEC), and the Common Criteria methods. Of these three, the Common Criteria is becoming the industry standard, and was, in fact, developed to be so.
The Orange Book
The Orange Book, more formally known as the Trusted Computer System Evaluation Criteria, was developed by the U.S. Department of Defense to evaluate operating systems, applications, and different products. It is known as the Orange Book due to the orange cover that it sported. The Orange book breaks it's assurance rating into four division, A - B - C - D, with some of the divisions having more than one class in it. Classes with a higher number represent a higher assurance rating. So C2 is greater than C1, and B1 is greater than C2. Criteria on which systems are evaluated breaks down into seven areas outlined as follows:
- Security policy - The policy must be explicit and well defined and enforced by the mechanisms within the system.
- Identification - Individual subjects must be uniquely identified.
- Labels - Access control labels must be associated properly with objects.
- Documentation - Documentation must be provided, including test, design, and specification documents, user guides, and manuals.
- Accountability - Audit data must be captured and protected to enforce accountability.
- Life-cycle assurance - Software, hardware, and firmware must be able to be tested individually to ensure that each enforces the security policy in an effective manner throughout their lifetimes.
- Continuous protection - the security mechanisms and the system as a whole must perform predictably in different situations continuously.
Each division and class is cumulative, meaning to meet a higher rating, a system must also meet all requirements for lower divisions and classes. The criteria remains the same, all that changes is how closely components are examined and how well they are designed and enforced.
TCSEC was first introduced in 1985, and was the first methodical set of standards developed for evaluating computer systems. It was retired in December 2000.
Information Technology Security Evaluation Criteria
The Information Technology Security Evaluation Criteria (ITSEC) was the first attempt my many European countries to develop a standard for evaluating computer systems. With the ITSEC, a different approach was taken to separate the ratings of functionality and assurance. Each is given an individual rating on separate scales.
When functionality is examined, a system is tested to see how well it delivers the promises it's vendors make. If a vendor claims a firewall will effectively manage state, it should be shown that it does in fact do this. The design of functions can vary widely from product to product so while two systems may both provide the same functionality, they may do so in very different manners. This raises the need for the second rating of assurance. Assurance is examined to determine how trustworthy the process is that delivers this functionality. Assurance is a degree of confidence in the system to perform it's function.
When a system is rated it is given a grade that reflects it's functionality and a separate grade for it's assurance. The table below shows a mapping of these ratings to their functional equivalent on the Orange Book scale. As you can see, there is an additional set of ratings in the ITSEC that aims to address consumer needs not addressed by the Orange Book.
ITSEC | TCSEC |
E0 | = D |
F1 + E1 | = C1 |
F2 + E2 | = C2 |
F3 + E3 | = B1 |
F4 + E4 | = B2 |
F5 + E5 | = B3 |
F5 + E6 | = A1 |
F6 | = Systems that provide high integrity |
F7 | = Systems that provide high availability |
F8 | = Systems that provide high data integrity during communication |
F9 | = Systems that provide high confidentiality (like cryptographic devices) |
F10 | = Networks with high demands on confidentiality and integrity |
Common Criteria
The goal of the Common Criteria was to address the flaws of both the Orange Book, and the ITSEC. The Orange Book's fatal flaw was a narrow scope that concerned itself with only the confidentiality of a system. The ITSEC made progress on this, but used a confusing, complex rating system that allowed vendors to mix and match ratings.
To address this, the Common Criteria developed a straight forward scale that addressed both confidentiality and assurance. Under Common Criteria, products are given an Evaluated Assurance Level (EAL). The lowest EAL rating is EAL1 and the highest is EAL7. The lower levels of the EAL scale examine functionality; does the product deliver on it's promises? The higher levels involve more methodical testing that examines the assurance level of the product's functionality.
Where Common Criteria really sets itself apart though, is in it's protection profiles. These profiles outline the need for a product and the likely threats it will face. It takes into account any assumptions made and what type of environment the product will function in. These profiles allow for more targeted testing, and provides greater feedback to customers who want to know if a product is right for them and their network.
Common Criteria is the current globally recognized standard.
No comments:
Post a Comment