Information Technology Reference
In-Depth Information
DISCUSSION OF CHAPTER 4:
SECURING NETWORKS IN THE INFORMATION AGE
Dr. Mert Uneri
with contributins from Dr. D. Stanley, Col. H. Dinis, Col. D. Handy, Capt. L. Policarpo, Dr. B. Buyukoner, Prof. S.
Kolobov, Mr. A. Gabovych, Mr. B. Karabacak, Dr. M. Valente, Dr. G. Aharoni, Maj.General L. Vellone, Mr. G.
Kahraman
Stanley
: Microsoft has a common criteria for Windows 2000. Windows 2003 is
going to become a common criteria evaluation and yet we are sitting here laughing
because Microsoft is completely full of bugs. Can you please explain what you really
think are the value of these evaluations? And the second point, can you actually say what
NATO is doing? Are you on the working group for common criteria? Can you say
where NATO is going or where we stand at the moment?
Uneri
: The thing I would say about Microsoft evaluations, or for all evaluations, is
that without certification you have nothing in hand, but with a certified product you have
something. The certified product can be secure or not secure. The two possibilities exist
but if the product is not certified, then you can say nothing about it. If the product is
certified, the important task to operate this software securely is to configure and operate
it in a secure manner. For example, Microsoft Windows NT4 is not an evaluation, but
when used isolated from the network, the configuration should be made separately from
the network. If you connect this operating system to the network then the certification is
not valid. So the products are evaluated in some conditions and certified according to
some operating conditions. If you use them in different conditions, the certificates are
not valid.
The common criteria working group in NATO is trying to put common criteria
operation in NATO, for instance, for procurement. It is a very difficult task because the
products which have common criteria certificates are not frequent. You can find
operating systems and firewalls that are common criteria certified but you cannot find,
for example, a cryptosystem. So these are difficulties for NATO and NATO has also the
difficult task of standards. There is a transition plan to use common criteria in NATO,
but it is behind schedule as there is a directive, a common criteria directive that has been
argued by the nations. Silence has been broken by Germany and France. So if the
directive is passed, common criteria can be used in NATO. The usage of common
criteria for crypto systems remains a problem. The nations cannot agree on this subject.
Another problem is certificates of common criteria; who will give these? There are at the
moment, as far as I know, seven nations that produce such certificates; US, UK,
Germany, France, Canada, Australia and New Zealand. They are producers of
certificates, but other NATO nations state that they have national schemes and do not
have to use common criteria. So the problem remains of who will give the certificates.
Seven nations are not enough according to the other nations. For example, Holland and
Spain have certification schemes. So there are two problems in using common criteria in
NATO.
Search WWH ::
Custom Search