IBM, HP Boast of High Security for Servers with RHEL 5
Published: July 31, 2007
by Timothy Prickett Morgan
Server maker IBM is the first platform vendor out of the gates to offer certification to its customers that the latest Linux release from Red Hat, Enterprise Linux 5, meets the stringent security requirements imposed by a set of standards and audits from the United States government called the Common Criteria. HP has also just certified RHEL 5 on selected workstations, notebooks, and servers. Certification means IBM and HP have an easier time selling to all governments and corporations who use the Common Criteria as a guideline.
IBM was first to get the Common Criteria's Evaluated Assurance Level (EAL) certifications on RHEL 3, back in January 2004, on workstations and servers at the EAL 3+ level; last April, IBM was also first out the door with certifications at the EAL 4+ for its server line in April 2006 on Red Hat's RHEL 4 Linux. This time around, IBM and HP are much closer together in getting the certifications. IBM has been working since September 2005 to get RHEL 5 certified at the EAL 4+ level on its iron, including the big three Common Criteria profiles: Controlled Access Protection Profile (CAPP), Role-Based Access Control Protection Profile (RBACPP), and Labeled Security Protection Profile (LSPP). Vendors used to cherry pick which profiles they would test, but these days, they need to do all three to get in on the big deals with Homeland Security, the Defense Department, and similar government agencies the world over. The EAL 4 or EAL 4+ levels mean not only that operating systems are certified as being secure, but that auditors and security experts have examined the source code of the software to really be sure that it is rock-solid. Lower EAL levels do not require source code examination by experts. The current Common Criteria scale tops out at EAL 7, which no one has reached yet.
On June 7, IBM received its EAL 4+ certification for the CAPP, RBACPP, and LSPP profiles using RHEL 5 on various Xeon and Opteron System x servers, on its System p line of machines (for any Power5 or Power5 machine), as well as on its System z mainframes running Linux. On June 26, HP received its EAL 4+ certifications on RHEL 5 for the EAL 4+ level for the CAPP, RBACPP, and LSPP profiles on its ProLiant X64-based servers, its Integrity Itanium-based servers, and its BladeSystem blade servers running RHEL 5.
The various flavors of Windows Server 2003 SP1 and Windows XP SP2 were certified at the EAL 4+ level--but only for the CAPP profile, in September 2006 as was recertified after a slew of hot fixes in April. Sun Microsystems is working to get all three EAL profiles certified with its Solaris 10 Unix with Trusted Extensions, the security add-ons for Solaris that greatly restrict who can get to what data and services on the system. IBM's i5/OS V5R3 proprietary operating system was tested with the CAPP profile at the EAL 4+ level back in May 2005, and VMware's ESX Server 2.5 server virtualization hypervisor was put through the Common Criteria paces in early 2006, but only attained an EAL 2 certification level and only running Windows. (The EAL profiles were not specified.) Last summer, IBM made a big deal out of the fact that its mainframe hypervisor getting the EAL 5 certification, while its System p Virtualization Engine hypervisor had an EAL 4+ rating running IBM's own AIX Unix variant. HP-UX 11i v2 was certified at the EAL 4 level back in September 2001--way ahead of the pack--but HP-UX 11i v3, which started shipping this year, has not been certified yet.
IBM Gets High Security Marks for Mainframe, Unix Virtualization
Red Hat, IBM Commit to Better Mainframe Linux
Solaris 10 with Trusted Extensions Readied for 11/06 Update
IBM, Argus Systems Get EAL4+ Certification on AIX-PitBull Combo
Platform Gets EAL Security Certification for Grid Products
IBM, Red Hat Attain EAL 4+ Certification for Enterprise Linux 4
Windows Server 2003 Earns EAL 4 Certification from U.S. Government
Post this story to del.icio.us
Post this story to Digg
Post this story to Slashdot