RE: IDS Common Criteria

From: Greg van der Gaast (greg.vandergaast@wanadoo.nl)
Date: 01/07/03

  • Next message: Alan Shimel: "RE: IDS Common Criteria"
    From: "Greg van der Gaast" <greg.vandergaast@wanadoo.nl>
    To: "'Talisker'" <talisker@networkintrusion.co.uk>
    Date: Tue, 7 Jan 2003 09:19:40 +0100
    
    

    I have seen plenty of people with driving licenses who can't drive worth
    a ____. Same goes for CC accreditation.

    In my humble opinion, the problem with CC is that the evaluation is only
    as good as the evaluator. The standard itself is written is such
    abstract form (the word 'computer' doesn't even come up once in the
    640+ page document except for one mention of 'Computer Aided Design')
    that in most cases numerous (all?) low-level technical vulnerabilities
    or shortfalls are overlooked. Perfect example is W2k being certified and
    MS releasing 3 critical patches to fix just certified components, the
    next day. Worse is that in this case MS deliberately left its customers
    vulnerable so it could get accredited and market their product as more
    secure. For commercial use I'd say, once again imho, it's worthless and
    its use as part of a security policy or management process should be
    avoided.

    Hope this helps.

    Regards,

    Greg

    -----Oorspronkelijk bericht-----
    Van: Talisker [mailto:talisker@networkintrusion.co.uk]
    Verzonden: Monday, January 06, 2003 7:14 PM
    Aan: focus-ids@securityfocus.com; ids@mailman.vet.com.au
    Onderwerp: IDS Common Criteria

    Hi all

    Sorry about cross posting this on the SF and Australian IDS list

    I received a marketing post this morning from Intrusion Inc saying that
    their SecureNetPro is the only IDS to have passed Common Criteria
    Certification, I was under the impression that another IDS vendor (ISS)
    had
    already achieved similar. Is there a RealSecure fan out there that
    could
    confirm this ?

    Outside Government and Military circles where I can see Common Criteria
    Certification being extremely useful, how valuable is it, ie within the
    financial sector etc ? More importantly what are it's failings?

    take care
    -andy
    Taliskers Network Security Tools
    http://www.networkintrusion.co.uk



    Relevant Pages

    • RE: IDS Common Criteria
      ... etc. with a grading it is just a check off so that govt. ... The testing for common criteria is done by authorized labs ... Subject: IDS Common Criteria ... Certification, I was under the impression that another IDS vendor ...
      (Focus-IDS)
    • IDS Common Criteria
      ... their SecureNetPro is the only IDS to have passed Common Criteria ... Certification, I was under the impression that another IDS vendor had ... Outside Government and Military circles where I can see Common Criteria ...
      (Focus-IDS)
    • Re: [IDS] IDS Common Criteria
      ... >I received a marketing post this morning from Intrusion Inc saying that ... >their SecureNetPro is the only IDS to have passed Common Criteria ... >Certification, I was under the impression that another IDS vendor had ... >Outside Government and Military circles where I can see Common Criteria ...
      (Focus-IDS)
    • Re: System Certification
      ... Define Certification as it pertains to IT/IS ... Certification is the process of performing a comprehensive analysis of the security features and safeguards of a system to establish the extent to which the security requirements are satisfied. ... Accreditation is the official management decision to operate a system. ...
      (Security-Basics)
    • Re: Certification & Accredition????
      ... This refers to certification and accreditation of systems, ... Author of /Developing Trust: Online Privacy and Security/ ...
      (comp.security.misc)