CCM 4350 Week 22. Security Architecture and Engineering. Dr A. Lasebae School of Science and Technology CCM4350 1
|
|
- Gordon Chapman
- 5 years ago
- Views:
Transcription
1 CCM 4350 Week 22 Security Architecture and Engineering Dr A. Lasebae School of Science and Technology CCM4350 1
2 Security Evaluation CCM4350 2
3 Security Evaluation How do you get assurance that your computer systems are adequately secure? You could trust your software providers. You could check the software yourself, but you would have to be a real expert! You could rely on an impartial security evaluation by an independent body. Security evaluation schemes have evolved since the 1980s; currently the Common Criteria are used internationally. Authorising members: 16 countries CCM4350 3
4 Objectives Examine the fundamental problems any security evaluation process has to address. Propose a framework for comparing evaluation criteria. Overview of the major evaluation criteria. Assess the merits of evaluated products and systems. CCM4350 4
5 Session contents History Framework for the comparison of criteria The Orange Book ITSec Common Criteria Quality Standards? Summary CCM4350 5
6 Security Evaluation History TCSec (Orange Book): a predefined evaluation classes linking functionality and assurance (USA Defence Dept.) ITSec: European criteria separating functionality and assurance so that very specific targets of evaluation can be specified and commercial needs can better addressed TCSec and ITSec no longer in use; replaced by the Common Criteria (CC) CCM4350 6
7 Framework for Security Evaluation What is the target of the evaluation? What is the purpose of an evaluation? What is the method of the evaluation? What is the organisational framework for the evaluation process? What is the structure of the evaluation criteria? What are the costs and benefits of evaluation? CCM4350 7
8 Target & Purpose Target of evaluation Product: off-the-shelf software component to be used in a variety of applications; has to meet generic security requirements System: collection of products assembled to meet the specific requirements of a given application Purpose of evaluation Evaluation: assesses whether a product has the security properties claimed for it Certification: assesses suitability of a product (system) for a given application Accreditation: decide to use a certain system CCM4350 8
9 Method Evaluations should not miss problems, different evaluations of the same product should give the same result. Product oriented: examine and test the product; better at finding problems but costly! Process oriented: check documentation & product development process; cheaper and better for repeatable results. Repeatability and reproducibility often desired properties of an evaluation methodology. CCM4350 9
10 Organisational Framework Public service: evaluation by government agency; can be slow, may be difficult to retain qualified staff! Private service: evaluation facilities usually accredited by a certification agency. How to make sure that customer pressure does not influence evaluation results? Happens quite often!!! Contractual relationship between evaluation sponsor, product manufacturer, evaluation facility? Interpretation drift (criteria creep): meaning of criteria may change over time and differ between evaluators. CCM
11 Structure Structure of evaluation criteria: Functionality: security features Effectiveness: are mechanisms used appropriate Assurance: thoroughness of analysis Orange Book: evaluation classes for a given set of typical DoD requirements, consider all three aspects simultaneously. ITSec: flexible evaluation framework that can deal with new security requirements; the three aspects are addressed independently. CCM
12 Costs and Benefits Direct costs: fees paid for evaluation. Indirect costs: employee time, training evaluators in the use of specific analysis tools, impact on development process. When evaluating a product, the cost of evaluation may be spread over a large number of customers. Benefits: evaluation may be required, e.g. for government contracts; marketing argument; better security? CCM
13 Orange Book Developed for the national security sector, but intended to be more generally applicable; it provides a yardstick for users to assess the degree of trust that can be placed in a computer security system, guidance for manufacturers of computer security system, a basis for specifying security requirements when acquiring a computer security system. Security evaluation of the Trusted Computing Base (TCB), assumes that there is a reference monitor. Developed for systems enforcing multi-level security. High assurance linked to formal methods, simple TCBs, and structured design methodologies; complex systems tend to fall into the lower evaluation classes. CCM
14 Evaluation Classes Designed to address typical security requirements; combine security feature and assurance requirements: Security Policy: mandatory and discretionary access control; Marking of objects: labels specify the sensitivity of objects; Identification of subjects: authentication of individual subjects; Accountability: audit logs of security relevant events; Assurance: operational assurance refers to security architecture, life cycle assurance refers to design methodology, testing, and configuration management; Documentation: users require guidance on installation and use; evaluators need test and design documentation; Continuous Protection: security mechanisms cannot be tampered with. CCM
15 Security Classes Four security divisions: D Minimal Protection C Discretionary Protection ( need to know ) B Mandatory Protection (based on labels) A Verified Protection Security classes defined incrementally; all requirements of one class automatically included in the requirements of all higher classes. Class D for products submitted for evaluation that did not meet the requirements of any Orange Book class. Products in higher classes provide more security mechanisms and higher assurance through more rigorous analysis. Visit this web site for more information: ftp://ftp.kernel.org/pub/linux/libs/security/orange- Linux/refs/Orange/OrangeI-II-2.html CCM
16 C1: Discretionary Security Protection Intended for environments where cooperating users process data at the same level of integrity. Discretionary access control based on individual users and/or groups. Users have to be authenticated. Operational assurance: TCB has its own execution domain; features for periodically validating the correct operation of the TCB. Life-cycle assurance: testing for obvious flaws. Documentation: User s Guide, Trusted Facility Manual (for system administrator), test and design documentation. TCB- trusted computing base CCM
17 C2: Controlled Access Protection Users individually accountable for their actions. DAC at the granularity of single users. Propagation of access rights has to be controlled and object reuse has to be addressed. Audit trails of the security relevant events that are specified in the definition of C2. Testing and documentation: covers the newly added security features; testing for obvious flaws only. C2 was regarded to be the most reasonable class for commercial applications. C2-evaluated versions of most major operating systems or database management systems. CCM
18 B1: Labelled Security Protection Division B for products that handle classified data and enforce mandatory MLS policies (based on security labels). Class B1 for system high environments with compartments. Issue: export of labelled objects to other systems or a printer; e.g. human-readable output has to be labelled. Higher assurance: informal or formal model of the security policy. Design documentation, source code, and object code have to be analysed; all flaws uncovered in testing must be removed. No strong demands on the structure of the TCB. B1 rating for System V/MLS (from AT & T), operating systems from Hewlett Packard, DEC, and Unisys; database management systems: Trusted Oracle 7, INFORMIX-Online/Secure, Secure SQL Server. CCM
19 B2: Structured Protection Class B2 increases assurance by adding design requirements. MAC governs access to physical devices. Users notified about changes to their security levels. Trusted Path for login and initial authentication. Formal model of the security policy and a Descriptive Top Level Specification (DTLS). Modularization as an important architectural design feature. TCB provides distinct address spaces to isolate processes. Covert channel analysis required; events potentially creating a covert channel have to be audited. Security testing establishes that the TCB is relatively resistant to penetration. B2 rating for Trusted XENIX operating system. CCM
20 B3: Security Domain B3 systems are highly resistant to penetration. New requirements on security management: support for a security administrator; auditing mechanisms monitor the occurrence or accumulation of security relevant events and issue automatic warnings. Trusted recovery after a system failure. More system engineering efforts for to minimise the complexity of the TCB. A convincing argument for the consistency between the formal model of the security policy and the informal Descriptive Top Level Specification. CCM
21 A1: Verified Design Functionally equivalent to B3; achieves the highest assurance level through the use of formal methods. Evaluation for class A1 requires: a formal model of the security policy a Formal Top Level Specification (FTLS), consistency proofs between model and FTLS (formal, where possible); TCB implementation (in)formally shown to be consistent with the FTLS; formal covert channels analysis; continued existence of covert channels to be justified, bandwidth may have to be limited. More stringent configuration management and distribution control. A1 rating for network components: MLS LAN (from Boeing) and Gemini Trusted Network Processor; SCOMP operating system. CCM
22 Rainbow Series The Orange Book is part of a collection of documents on: security requirements, security management, security evaluation published by NSA and NCSC (US National Security Agency and National Computer Security Centre). The documents in this series are known by the colour of their cover as the rainbow series. Concepts introduced in the Orange Book adapted to the specific aspects of computer networks (Trusted Network Interpretation, Red Book) of, database management systems (Trusted Database Management System Interpretation, Lavender/Purple Book) etc. CCM
23 Information Technology Security Evaluation Criteria ITSEC: harmonisation of Dutch, English, French, and German national security evaluation criteria; endorsed by the Council of the European Union in Builds on lessons learned from using the Orange Book; intended as a framework for security evaluation that can deal with new security requirements. Breaks the link between functionality and assurance. Apply to security products and to security systems. The sponsor of the evaluation determines the operational requirements and threats. CCM
24 ITSec The security objectives for the Target of Evaluation (TOE) further depend on laws and regulations; they establish the required security functionality and evaluation level. The security target specifies all aspects of the TOE that are relevant for evaluation: security functionality of the TOE, envisaged threats, objectives, and details of security mechanisms to be used. The security functions of a TOE may be specified individually or by reference to a predefined functionality class. Seven evaluation levels E0 to E6 express the level of confidence in the correctness of the implementation of security functions. CCM
25 Common Criteria Criteria for the security evaluation of products or systems, called the Target of Evaluation (TOE). Protection Profile (PP): a (re-usable) set of security requirements, including an EAL; should be developed by user communities to capture typical protection requirements. Security Target (ST): expresses security requirements for a specific TOE, e.g. by reference to a PP; basis for any evaluation. Evaluation Assurance Level (EAL): define what has to be done in an evaluation; there are seven hierarchically ordered EALs. CCM
26 Common Criteria Protection Profile CC Protection Profile PP introduction TOE description TOE security environment Security objectives IT security requirements PP application notes Rationale PP identification PP overview Assumptions Threats Organisational security policies Security objectives for TOE Security objectives for environment TOE security requirements Security requirements For the IT environment Security objectives rationale Security requirements rationale TOE security functional requirements TOE security assurance requirements CCM
27 CC Assurance Levels EAL1 - functionally tested EAL2 - structurally tested EAL3 - methodically tested and checked EAL4 - methodically designed, tested, and reviewed EAL5 - semiformally designed and tested EAL6 - semiformally verified design and tested EAL7 - formally verified design and tested CCM
28 Assurance Levels EAL1: tester receives the target of evaluation, examines the documentation and performs some tests to confirm the documented functionality; evaluation should not require any assistance from the developer; the outlay for evaluation should be minimal. EAL2: developer provides test documentation and test results from a vulnerability analysis; evaluator reviews documentation and repeats some of these tests; effort required from the developer is small and a complete development record need not be available. CCM
29 Assurance Levels EAL3: developer uses configuration management, documents security arrangements for development, and provides high-level design documentation and documentation on test coverage for review; EAL3 intended for developers who already follow good development practices but do not want to implement further changes to their practices. EAL4: developer provides low-level design and a subset of security functions (TCB) source code for evaluation; secure delivery procedures; evaluator performs an independent vulnerability analysis. Usually EAL4 is the highest level that is economically feasible for an existing product line. CCM
30 Assurance Levels EAL5: developer provides formal model of the security policy, a semiformal high-level design, functional specification, and the full source code of the security functions; covert channel analysis; evaluator performs independent penetration testing. TOE should have been designed and developed with the intent of achieving EAL5 assurance; additional evaluation costs ought not to be large. EAL6: source code well structured, reference monitor must have low complexity; evaluator conducts more intensive penetration testing; cost of evaluation expected to increase. CCM
31 Assurance Levels EAL7: developer provides a formal functional specification and a high-level design, demonstrates correspondence between all representations of the security functions. EAL7 typically only achieved with a TOE that has a tightly focused security functionality and is amenable to extensive formal analysis. CCM
32 CC Evaluated Operating Systems EAL4: Sun Solaris (TM) 8 Operating Environment EAL4: HP-UX (11i) Version EAL4+: AIX 5L for POWER V5.2 Programm Number 5765-E62 EAL3: SGI Trusted IRIX/CMW Version EAL4+: Windows 2000 Professional, Server, and Advanced Server with SP3 and Q Hotfix EAL4: B1/EST-X Version with AIX, Version EAL4: Sun Trusted Solaris Version 8 4/01 EAL4+: Windows 2000 Professional, Server, and Advanced Server with SP3 and Q Hotfix (OS) EAL3: SGI IRIX/CMW Version CCM
33 Windows 2000 Certification Certified Configurations Controlled Access Protection Profile (CAPP) Equivalent to C2 Functional Requirements Covers network operating system functionality Multi-Master Directory Service Active Directory L2TP/IPSEC-Base VPN Windows 2000 Professional VPN Client Windows 2000 Server VPN Services Single Sign-on Other Services Kerberos TLS Software Signature Creation Device Sensitive Data Protection Device (EFS) Network Management Flaw Remediation (MSRC) Desktop management DNS/DHCP Servers CCM
34 Evaluation Methodology Common Evaluation Methodology (CEM) specifies all the steps that have to be followed when validating the assurance requirements in a Security Target. Common Criteria Recognition Agreement (CCRA) provides recognition of evaluations performed in another country; addresses assurance levels EAL1 to EAL4; higher assurance levels are only accepted within a single country. Common Criteria Evaluation and Validation Scheme (CCEVS): national US program for performing security evaluations according to the Common Criteria. CCM
35 Quality Standards Ultimate step towards audit-based evaluation: assess how a product is developed but not the product itself. A company would become a certified producer of secure systems. This approach is popular in the area of quality control: organisations follow the ISO 9000 standard on internal quality management and external quality assurance to vouch for the quality of their products. Some vendors claim that being registered under an ISO 9000 quality seal is a better selling argument than a security certificate for a particular product and that security evaluation should move in this direction. CCM
36 Quality Standards Such a proposal is attractive for companies developing secure systems: the costs of evaluation are much reduced. If the developers of secure systems win in this proposal, will the users of secure systems lose out? This is not a foregone conclusion; certificate is no guarantee that a system cannot be broken. You have to assess each evaluation scheme on its own merits to decide whether individually evaluated products offer more security than products from accredited developers. CCM
37 Summary Security evaluation has been required in some countries by public sector customers. Major O/S and DBMS vendors offer evaluated products. Outside the government sector there has been little enthusiasm for evaluated products. One current exception: smart card software. Persistent problem: products keeps evolving so evaluation often refers to a version no longer in use. CCM
Introduce the major evaluation criteria. TCSEC (Orange book) ITSEC Common Criteria
Introduce the major evaluation criteria. TCSEC (Orange book) ITSEC Common Criteria Evaluation: assessing whether a product has the security properties claimed for it. Certification: assessing whether a
More informationIntroduce the major evaluation criteria. TCSEC (Orange book) ITSEC Common Criteria
Introduce the major evaluation criteria. TCSEC (Orange book) ITSEC Common Criteria Evaluation: assessing whether a product has the security properties claimed for it. Certification: assessing whether a
More informationSecurity System and COntrol 1
Security System and COntrol 1 Security Management By: Joseph Ronald Canedo It is a Risky World Vulnerabilities Security objectives: Prevent attacks Detect attacks Recover from attacks Attacks: against
More informationSession objectives. Security Evaluation. Evaluation Standards. Can we trust a secure product/system? CSM27 Computer Security
Overview Session objectives Security Evaluation CSM27 Computer Security Dr Hans Georg Schaathun University of Surrey Discuss advantages and limitations of security evaluations Clarify fundamental concepts
More informationChapter 18: Evaluating Systems
Chapter 18: Evaluating Systems Goals Trusted Computer System Evaluation Criteria FIPS 140 Common Criteria SSE-CMM Slide #18-1 Overview Goals Why evaluate? Evaluation criteria TCSEC (aka Orange Book) FIPS
More informationCertification Report
EAL 3 Evaluation of Thales Communications S. A. Internal Communications Management System (ICMS) Issued by: Communications Security Establishment Certification Body Canadian Common Criteria Evaluation
More informationNational Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme Validation Report
National Information Assurance Partnership TM Common Criteria Evaluation and Validation Scheme Validation Report Microsoft Corporation Windows 2000 Report Number: CCEVS-VR-02-0025 Dated: 25 October 2002
More informationCOMMON CRITERIA CERTIFICATION REPORT
COMMON CRITERIA CERTIFICATION REPORT VMware Horizon 6 version 6.2.2 and Horizon Client 3.5.2 12 August 2016 v1.0 File Number 383-4-356 Government of Canada. This document is the property of the Government
More informationCertification Report
Certification Report Symantec Security Information Manager 4.8.1 Issued by: Communications Security Establishment Certification Body Canadian Common Criteria Evaluation and Certification Scheme Government
More informationUNICOS/mp Common Criteria Evaluation
UNICOS/mp Common Criteria Evaluation Janet Lebens, Cray Inc. Cray Proprietary Agenda Definitions NIAP CCEVS Common Criteria CC vs TCSEC Why Evaluate? Steps of Evaluation Details of Steps for Cray / Progress
More informationIT Security Evaluation : Common Criteria
AfriNIC-9 MEETING Mauritius 22-28 November 2008 IT Security Evaluation : Common Criteria Ministry of Communication Technologies National Digital Certification Agency Mounir Ferjani November 2008 afrinic
More informationCertification Report
Certification Report EAL 2+ Evaluation of McAfee Deep Defender 1.0.1 and epolicy Orchestrator 4.6.1 Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria Evaluation
More informationCertification Report
Certification Report HP 3PAR StoreServ Storage Systems Version 3.2.1 MU3 Issued by: Communications Security Establishment Certification Body Canadian Common Criteria Evaluation and Certification Scheme
More informationCertification Report
Certification Report Issued by: Communications Security Establishment Certification Body Canadian Common Criteria Evaluation and Certification Scheme Government of Canada, Communications Security Establishment,
More informationComputer Security CS 426 Lecture 17
Computer Security CS 426 Lecture 17 Trusted Computing Base. Orange Book, Common Criteria Elisa Bertino Purdue University IN, USA bertino@cs.purdue.edu 1 Trusted vs. Trustworthy A component of a system
More informationBuilding an Assurance Foundation for 21 st Century Information Systems and Networks
Building an Assurance Foundation for 21 st Century Information Systems and Networks The Role of IT Security Standards, Metrics, and Assessment Programs Dr. Ron Ross National Information Assurance Partnership
More informationCertification Report
Certification Report EAL 4 Evaluation of Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria Evaluation and Certification Scheme Government of Canada, Communications
More informationCertification Report
Certification Report Issued by: Communications Security Establishment Certification Body Canadian Common Criteria Evaluation and Certification Scheme Government of Canada, Communications Security Establishment,
More informationNational Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme Validation Report
National Information Assurance Partnership TM Common Criteria Evaluation and Validation Scheme Validation Report Blue Ridge Networks BorderGuard Centrally Managed Embedded PKI Virtual Private Network (VPN)
More informationCertification Report
Certification Report Issued by: Communications Security Establishment Certification Body Canadian Common Criteria Evaluation and Certification Scheme Government of Canada, Communications Security Establishment,
More informationCertification Report
Certification Report Issued by: Communications Security Establishment Certification Body Canadian Common Criteria Evaluation and Certification Scheme Government of Canada, Communications Security Establishment,
More informationCommon Criteria. Introduction Emilie Barse Magnus Ahlbin
Common Criteria Introduction 2015-02-23 Emilie Barse Magnus Ahlbin 1 Magnus Ahlbin Head of EC/ITSEF Information and Security Combitech AB SE-351 80 Växjö Sweden magnus.ahlbin@combitech.se www.combitech.se
More informationCertification Report
Certification Report EAL 2+ Evaluation of Data ONTAP Version 7.2.5.1 Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria Evaluation and Certification Scheme
More informationCertification Report
Certification Report Standard Edition v2.8.2 RELEASE Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria Evaluation and Certification Scheme Government of
More informationCertification Report
Certification Report EAL 4+ Evaluation of Firewall Enterprise v8.2.0 and Firewall Enterprise Control Center v5.2.0 Issued by: Communications Security Establishment Canada Certification Body Canadian Common
More informationCertification Report
Certification Report EAL 2+ Evaluation of Tactical Network-layer Gateway (2E2 IA): a GD Canada MESHnet G2 Gateway product Issued by: Communications Security Establishment Canada Certification Body Canadian
More informationTrusted OS Design CS461/ECE422
Trusted OS Design CS461/ECE422 1 Reading Material Section 5.4 of Security in Computing 2 Design Principles Security Features Kernelized Design Virtualization Overview 3 Design Principles Simplicity Less
More informationNational Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme Validation Report
National Information Assurance Partnership TM Common Criteria Evaluation and Validation Scheme Validation Report Delta Security Technologies Sentinel Model III Computer Security System Report Number: CCEVS-VR-02-0023
More informationCertification Report
Certification Report EAL 2+ Evaluation of EMC Celerra Network Server Version 5.5 running on EMC Celerra NSX and EMC Celerra NS series Issued by: Communications Security Establishment Certification Body
More informationCertification Report
Certification Report Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria Evaluation and Certification Scheme Government of Canada, Communications Security
More informationCertification Report
Certification Report EAL 2+ Evaluation of McAfee Enterprise Mobility Management 9.7 Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria Evaluation and Certification
More informationCommon Criteria for IT Security Evaluation - Update report
Common Criteria for IT Security Evaluation - Update report 4 Developments in harmonisation of evaluation criteria Author. Dr. Ir. Paul L. Overbeek TNO Physics and Electronics Laboratory - p/a P.0.-Box
More informationCOMMON CRITERIA CERTIFICATION REPORT
COMMON CRITERIA CERTIFICATION REPORT WorkCentre 7525/7530/7535/7545/7556 with FIPS 140-2 Compliance over SNMPv3 25 July 2016 v1.0 383-4-371 Government of Canada. This document is the property of the Government
More informationSECURITY CERTIFICATION
ÉDITION 2018 SECURITY CERTIFICATION OF PRODUCTS BY THE FRENCH NATIONAL CYBERSECURITY AGENCY (ANSSI) PAR L AGENCE NATIONALE DE LA SÉCURITÉ DES SYSTÈMES D INFORMATION Security Visas provide a competitive
More informationCertification Report
Certification Report EAL 2+ Evaluation of Service Router Operating System (SR OS) v7.0 Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria Evaluation and
More informationCertification Report
Certification Report EAL 4+ Evaluation of WatchGuard and Fireware XTM Operating System v11.5.1 Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria Evaluation
More informationCertification Report
Certification Report McAfee Management for Optimized Virtual Environments Antivirus 3.0.0 with epolicy Orchestrator 5.1.1 Issued by: Communications Security Establishment Certification Body Canadian Common
More informationCertification Report
Certification Report Curtiss-Wright Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria Evaluation and Certification Scheme Government of Canada, Communications
More informationCertification Report
Certification Report Security Intelligence Platform 4.0.5 Issued by: Communications Security Establishment Certification Body Canadian Common Criteria Evaluation and Certification Scheme Government of
More informationBSI-CC-PP-0088-V for
BSI-CC-PP-0088-V2-2017 for Base Protection Profile for Database Management Systems (DBMS PP) Version 2.12 and DBMS PP Extended Package - Access History (DBMS PP_EP_AH) Version 1.02 developed by DBMS Working
More informationCOMMON CRITERIA CERTIFICATION REPORT
COMMON CRITERIA CERTIFICATION REPORT HP Service Manager v9.41 Patch 3 383-4-395 17 February 2017 v1.0 Government of Canada. This document is the property of the Government of Canada. It shall not be altered,
More informationCertification Report
Certification Report McAfee Enterprise Security Manager with Event Receiver, Enterprise Log Manager, Advanced Correlation Engine, Application Data Monitor and Database Event Monitor 9.1 Issued by: Communications
More informationCOMMON CRITERIA CERTIFICATION REPORT
COMMON CRITERIA CERTIFICATION REPORT WorkCentre 7845/7845i/7855/7855i 2016 Xerox ConnectKey Technology 12 August 2016 v1.0 383-4-382 Government of Canada. This document is the property of the Government
More informationCertification Report
Certification Report McAfee File and Removable Media Protection 4.3.1 and epolicy Orchestrator 5.1.2 Issued by: Communications Security Establishment Certification Body Canadian Common Criteria Evaluation
More informationCOMMON CRITERIA CERTIFICATION REPORT
COMMON CRITERIA CERTIFICATION REPORT McAfee Data Loss Prevention 11.0 with epolicy Orchestrator 5.9.0 4 January 2018 383-4-429 Version 1.0 Government of Canada. This document is the property of the Government
More informationCYSE 411/AIT 681 Secure Software Engineering Topic #3. Risk Management
CYSE 411/AIT 681 Secure Software Engineering Topic #3. Risk Management Instructor: Dr. Kun Sun Outline 1. Risk management 2. Standards on Evaluating Secure System 3. Security Analysis using Security Metrics
More informationCertification Report
Certification Report EMC NetWorker v8.0.1.4 Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria Evaluation and Certification Scheme Government of Canada,
More informationCertification Report
Certification Report EAL 4+ Evaluation of JUNOS-FIPS for SRX Series version 10.4R4 Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria Evaluation and Certification
More informationCertification Requirements for High Assurance Systems
for High Assurance Systems Gordon M. Uchenick Senior Mentor/Principal Engineer Objective Interface Systems, Inc. and W. Mark Vanfleet Senior Cryptologic Mathematician/ Senior INFOSEC Analyst National Security
More informationCertification Report
Certification Report Issued by: Communications Security Establishment Certification Body Canadian Common Criteria Evaluation and Certification Scheme Government of Canada, Communications Security Establishment,
More informationCOMMON CRITERIA CERTIFICATION REPORT
COMMON CRITERIA CERTIFICATION REPORT EMC VPLEX v5.5 Version 1.0 11 May 2016 FOREWORD This certification report is an UNCLASSIFIED publication, issued under the authority of the Chief, Communications Security
More informationNational Information Assurance Partnership
National Information Assurance Partnership TM Common Criteria Evaluation and Validation Scheme Validation Report Sun Java System Identity Manager v5.0 Report Number: CCEVS-VR-05-0117 Dated: 6 September
More informationNational Information Assurance Partnership
National Information Assurance Partnership TM Common Criteria Evaluation and Validation Scheme Validation Report For VMware ESX Server 2.5.0 and VirtualCenter 1.2.0 Report Number: CCEVS-VR-06-0013 Dated:
More informationCC Part 3 and the CEM Security Assurance and Evaluation Methodology. Su-en Yek Australasian CC Scheme
CC Part 3 and the CEM Security Assurance and Evaluation Methodology Su-en Yek Australasian CC Scheme What This Tutorial Is An explanation of where Security Assurance Requirements fit in the CC evaluation
More informationCertification Report
Certification Report EMC Issued by: Communications Security Establishment Certification Body Canadian Common Criteria Evaluation and Certification Scheme Government of Canada, Communications Security Establishment,
More informationCertification Report
Certification Report EAL 2+ Evaluation of Netsight/Network Access Control v3.2.2 Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria Evaluation and Certification
More informationOperating System Security, Continued CS 136 Computer Security Peter Reiher January 29, 2008
Operating System Security, Continued CS 136 Computer Security Peter Reiher January 29, 2008 Page 1 Outline Designing secure operating systems Assuring OS security TPM and trusted computing Page 2 Desired
More informationCertification Report
Certification Report EMC VNX OE for Block v05.33 and File v8.1 with Unisphere v1.3 running on VNX Series Hardware Models VNX5200, VNX5400, VNX5600, VNX5800, VNX7600, and VNX8000 Issued by: Communications
More informationCOMMON CRITERIA CERTIFICATION REPORT
COMMON CRITERIA CERTIFICATION REPORT EMC RecoverPoint v4.4 SP1 19 May 2016 FOREWORD This certification report is an UNCLASSIFIED publication, issued under the authority of the Chief, Communications Security
More informationCertification Report
Certification Report EAL 2+ Evaluation of Verdasys Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria Evaluation and Certification Scheme Government of
More informationCertification Report
Certification Report Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria Evaluation and Certification Scheme Government of Canada, Communications Security
More informationCertification Report
Certification Report Owl DualDiode Communication Cards v7 Issued by: Communications Security Establishment Certification Body Canadian Common Criteria Evaluation and Certification Scheme Government of
More informationNational Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme Validation Report
National Information Assurance Partnership TM Common Criteria Evaluation and Validation Scheme NetScreen Technologies, Incorporated Report Number: CCEVS-VR-02-0027 Version 1.0 Dated: 30 November 2002 National
More informationCertification Report
Certification Report EAL 3+ Evaluation of Juniper Networks M-Series Multiservice Edge Routers, MX-Series 3D Universal Edge Routers, T-Series Core Routers and EX-Series Ethernet Switches running JUNOS 11.4R2
More informationDefining IT Security Requirements for Federal Systems and Networks
Defining IT Security Requirements for Federal Systems and Networks Employing Common Criteria Profiles in Key Technology Areas Dr. Ron Ross 1 The Fundamentals Building more secure systems depends on the
More informationCOMMON CRITERIA CERTIFICATION REPORT
COMMON CRITERIA CERTIFICATION REPORT Dell EMC Unity OE 4.2 383-4-421 22 September 2017 Version 1.0 Government of Canada. This document is the property of the Government of Canada. It shall not be altered,
More informationJuniper Networks EX3200 and EX4200 Switches running JUNOS 9.3R2
122-B ASSURANCE MAINTENANCE REPORT MR1 (supplementing Certification Report No. CRP248) Juniper Networks EX3200 and EX4200 Switches running JUNOS 9.3R2 Version 9.3R2 Issue 1.0 February 2009 Crown Copyright
More informationApplied IT Security. Device Security. Dr. Stephan Spitz 10 Development Security. Applied IT Security, Dr.
Applied IT Security Device Security Dr. Stephan Spitz Stephan.Spitz@gi-de.com Overview & Basics System Security Network Protocols and the Internet Operating Systems and Applications Operating System Security
More informationCOMMON CRITERIA CERTIFICATION REPORT
COMMON CRITERIA CERTIFICATION REPORT McAfee VirusScan Enterprise 8.8 and epolicy Orchestrator 5.1.3 v1.0 9 May 2016 FOREWORD This certification report is an UNCLASSIFIED publication, issued under the authority
More informationCertification Report
Certification Report Koji Nishigaki, Chairman Information-technology Promotion Agency, Japan Target of Evaluation Application date/id 2008-03-25 (ITC-8210) Certification No. C0220 Sponsor Hitachi, Ltd.
More informationCertification Report
Certification Report Nutanix Virtual Computing Platform v3.5.1 Issued by: Communications Security Establishment Certification Body Canadian Common Criteria Evaluation and Certification Scheme Government
More informationIT Security Evaluation and Certification Scheme Document
IT Security Evaluation and Certification Scheme Document June 2015 CCS-01 Information-technology Promotion Agency, Japan (IPA) IT Security Evaluation and Certification Scheme (CCS-01) i / ii Table of Contents
More informationNational Information Assurance Partnership. Validation Report
National Information Assurance Partnership TM Common Criteria Evaluation and Validation Scheme Validation Report Xerox Corporation Xerox CopyCentre C2128/C2636/C3545 Copier and WorkCentre Pro C2128/C2636/C3545
More informationGoogle Cloud & the General Data Protection Regulation (GDPR)
Google Cloud & the General Data Protection Regulation (GDPR) INTRODUCTION General Data Protection Regulation (GDPR) On 25 May 2018, the most significant piece of European data protection legislation to
More informationUnit OS7: Security The Security Problem. Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze
Unit OS7: Security 7.1. The Security Problem Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze 2 Copyright Notice 2000-2005 David A. Solomon and Mark Russinovich
More informationProcedure for Network and Network-related devices
Lloyd s Register Type Approval System Type Approval Requirements for components within Cyber Enabled Systems on board Ships Procedure for Network and Network-related devices September 2017 1 Reference:
More informationC017 Certification Report
C017 Certification Report BT-Direct Version File name: Version: v1a Date of document: 25 May 2011 Document classification: For general inquiry about us or our services, please email: mycc@cybersecurity.my
More informationOperating systems and security - Overview
Operating systems and security - Overview Protection in Operating systems Protected objects Protecting memory, files User authentication, especially passwords Trusted operating systems, security kernels,
More informationOperating systems and security - Overview
Operating systems and security - Overview Protection in Operating systems Protected objects Protecting memory, files User authentication, especially passwords Trusted operating systems, security kernels,
More informationNational Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme Validation Report
National Information Assurance Partnership TM Common Criteria Evaluation and Validation Scheme Validation Report IEEE IEEE 2600.1-2009 Report Number: CCEVS-VR-10340 Dated: 2009-06-09 Version: 2.0 National
More informationCertification Report
Certification Report EAL 3+ Evaluation of Xerox WorkCentre 5632/5638/5645/5655/5665/5675/5687 Multifunction Systems Issued by: Communications Security Establishment Canada Certification Body Canadian Common
More informationSwedish Scheme Update Dag Ströman, Head of CSEC
Swedish Scheme Update Dag Ströman, Head of CSEC 1 CSEC - The Legal Base Swedish Parliament approval of the Government bill in May 2002, which stated: The Swedish Defence Materiel Administration, FMV, is
More informationAustralasian Information Security Evaluation Program
Australasian Information Security Evaluation Program Certification Report 2012/78 2 May 2012 Version 1.0 Commonwealth of Australia 2012. Reproduction is authorised provided that the report is copied in
More information084 Sponsors and Developers Guide to the Evaluation and Certification
Ärendetyp: 6 Diarienummer: 17FMV9080-8:1 Dokument ID SP-084 HEMLIG/ enligt Offentlighets- och sekretesslagen (2009:400) 2017-11-01 Country of origin: Sweden Försvarets materielverk Swedish Certification
More informationQualification Specification for the Knowledge Modules that form part of the BCS Level 4 Software Developer Apprenticeship
Qualification Specification for the Knowledge Modules that form part of the BCS Level 4 Software Developer Apprenticeship BCS Level 4 Diploma in Software Development Methodologies BCS Level 4 Diploma in
More informationCOMMON CRITERIA CERTIFICATION REPORT
COMMON CRITERIA CERTIFICATION REPORT Lexmark CX920, CX921, CX922, CX923, CX924, XC9235, XC9245, XC9255, and XC9265 Multi-Function Printers 7 February 2018 383-4-434 V1.0 Government of Canada. This document
More informationNational Information Assurance Partnership
National Information Assurance Partnership TM Common Criteria Evaluation and Validation Scheme Validation Report US Government Family of Protection Profiles for Public Key Enabled Applications for Basic
More information2 Common Criteria An Introduction
2An Introduction The CC combines the best aspects of existing criteria for the security evaluation of information technology systems and products. This document provides a summary of the principal features
More informationNational Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme. Validation Report. Tripp Lite Secure KVM Switch Series
National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme TM Validation Report Report Number: CCEVS-VR-VID10481-2011 Dated: October 31, 2011 Version: 2.0 National Institute
More informationNational Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme
National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme TM Validation Report for the Venafi Trust Protection Platform, Version 1.0 Report Number: CCEVS-VR-VID10800-2017
More informationCertification Report
Certification Report Avocent Cybex SwitchView SC Series Switches Issued by: Communications Security Establishment Certification Body Canadian Common Criteria Evaluation and Certification Scheme Government
More informationCOMMON CRITERIA CERTIFICATION REPORT
COMMON CRITERIA CERTIFICATION REPORT CA Privileged Access Manager Version 2.5.5 v1.2 8 August 2016 FOREWORD This certification report is an UNCLASSIFIED publication, issued under the authority of the Chief,
More informationBSI-CC-PP for
for Protection Profile for the Security Module of a Smart Meter Mini-HSM (Mini-HSM Security Module PP) - Schutzprofil für das Sicherheitsmodul des Smart Meter Mini-HSM, V1.0 developed by Federal Office
More informationJuniper Networks EX3200 and EX4200 Switches running JUNOS 9.3R2
122 ASSURANCE MAINTENANCE REPORT MR2 (supplementing Certification Report No. CRP248 and Assurance Maintenance Report MR1) Juniper Networks EX3200 and EX4200 Switches running JUNOS 9.3R2 Version 9.3R2 Issue
More informationJoint Interpretation Library
Object: Define concept and methodology applicable to composite product evaluation. Version 1.5 October 2017 October 2017 Version1.5 Page 1/55 This page is intentionally left blank Page 2/55 Version 1.5
More informationJuniper Networks J2300, J2350, J4300, M7i and M10i Services Routers running JUNOS 8.5R3
122 ASSURANCE MAINTENANCE REPORT MR3 (supplementing Certification Report No. CRP237 and Assurance Maintenance Reports MR1 and MR2) Juniper Networks J2300, J2350, J4300, M7i and M10i Services Routers running
More informationRevised November EFESC Handbook
Revised November 2015 EFESC Handbook 1 Table of Contents EFESC Handbook... 1 Table of Contents... 2 Handbook EFESC... 4 1 Background and objectives... 4 1.1 Sectoral developments... 4 1.1 Objectives...
More informationNational Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme. Validation Report. for
National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme TM Validation Report for Report Number: CCEVS-VR-10746-2016 Dated: November 10, 2016 Version: 1.0 National Institute
More informationCertification Report
Certification Report EAL 4+ Evaluation of High Security Labs Secure DVI KVM Switch, Secure KM Switch and Secure KVM Combiner Issued by: Communications Security Establishment Canada Certification Body Canadian
More informationCOMMON CRITERIA CERTIFICATION REPORT
COMMON CRITERIA CERTIFICATION REPORT Dell Data Protection Encryption Personal Edition Version 8.14.0 383-4-416 2 October 2017 v1.1 Government of Canada. This document is the property of the Government
More information