AW: [IDS] IDS Common Criteria

From: detmar.liesen@lds.nrw.de
Date: 01/08/03

  • Next message: Kurt Seifried: "Re: IDS Stealth Mode" 
    From: detmar.liesen@lds.nrw.de
To: focus-ids@securityfocus.com
Date: Wed, 8 Jan 2003 09:11:42 +0100

    FTWAI: (for those who are interested):
    Europe has a pendant to CC - the Information Technology Security Evaluation
    Criteria (ITSEC), which has adopted several thoughts of the Orange Book of CC
    but is more flexible. In Germany the BSI (www.bsi.de) is the public authority
    for ITSEC certifications.

    BTW: I have once tried to read the orange book but I gave up on the 12th page or
    so.
    This experience was very traumatic for me (shudder).
    >8)

    However, for stuff like b2b, even private companies nowadays tend to prefer
    E3/high certified products.

    As most of you probably know, in the US and in Germany (I don't know about the
    others) it's compulsory to protect your business - and thus your
    it-infrastructure as well - from known threats that could bankrupt you (for
    those who want to know, I am talking about the German KonTrag act and it's
    consequences).

    If you have a security concept and your infrastructure is certified E3/high, you
    have solid proof that you have taken adequate measures for protecting your
    business and this protects you (as a business owner or executive) from being
    charged for serious negligence if this is the right term in english.
    :)
    Of course, E3/high certified products do not protect you from harm if your
    security concept does not include audits and assessment that are performed on a
    regular term.

    For government security-infrastructure such as firewalls, E3/high is compulsory
    anyway.

    Just my 2 Cents
    ;)

    Cheers,
    Detmar Liesen

     -----Ursprüngliche Nachricht-----
    Von: Randy Taylor [mailto:gnu@charm.net]
    Gesendet: Mittwoch, 8. Januar 2003 00:50
    An: Talisker; focus-ids@securityfocus.com; ids@mailman.vet.com.au
    Betreff: Re: [IDS] IDS Common Criteria

    At 11:00 PM 1/7/2003 +0000, Talisker wrote:
    >Sadly within the public sector installing an IDS isn't merely a question of
    >having sufficient resources to achieve the objective, there are also a
    >plethora of political and accreditation issues to overcome. CC can help to
    >surmount many of the bureaucratic mountains that lie in the way.
    >I don't agree with it, but it's a fact of life, I can't see another way
    >until common sense prevails. Unfortunately public sector and common sense
    >rarely walk hand in hand.

    You've hit the hidden nail pretty close to its head. The U.S Government
    public sector now requires significant Certification and Accreditation (C&A)
    efforts for any new infrastructure being stood up and it is in the process
    of introducing C&A into existing infrastructure. CC product certifications
    are an integral part of the C&A process now, and they're not going away.
    The U.S. Military has been doing C&A on their critical infrastructure for
    as long
    as I can remember. The point is that post 9/11 pretty much -everything- in the
    U.S. .gov and .mil network domains is being identified as critical
    infrastructure.

     From the outside-in view, CC and it's C&A parent are bureaucratic at best
    and Byzantine at worst. In the projects I'm involved with these days,
    I spend as much time on C&A issues as I do on technical issues. I'm
    seeing the process from the inside. It does get mind-bogglingly complex
    sometimes, and everyone I know that's involved relieves the pressure with
    an occasional witty rant or two. My previous humorous comments aside
    though, C&A has identified weakness in infrastructure that would have
    escaped detection otherwise. C&A has this annoying habit of working.

    Sure, the overall process can be improved, and I'm sure it will - but it does
    what it's supposed to do now. From a structural security perspective, C&A
    is essential. I wouldn't be surprised to see the commercial sector adopt
    C&A processes and demand CC certs in the next year or two.

    >just my 2c
    >
    >take care
    >-andy

    8)

    Randy

    Relevant Pages

    • Re: To go to University - For the CISSP etc. - Good idea/Bad idea???
      ... I'd be majoring in Security of course... ... I studied IT - Networking at Technical College, ... But yes, I do have all those certifications, the 3 Cisco ones I did at ... Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. ...
      (Pen-Test)
    • Re: CEH program and Sybex Study Guide
      ... CEH program and Sybex Study Guide ... I am now focusing on security as my carrer. ... various certifications and the likes to plan out what I may consider ...
      (Security-Basics)
    • Re: CISSP
      ... I really don't use Linux" from people that do security ... SecPros out there that use/code in Windows - most of the people that can ... certs REALLY helped me professionally, ... There are certifications and there are certifications. ...
      (Pen-Test)
    • Re: To go to University - For the CISSP etc. - Good idea/Bad idea???
      ... I'd be majoring in Security of course... ... I studied IT - Networking at Technical College, ... But yes, I do have all those certifications, the 3 Cisco ones I did at ... The main reasons I made this decision are; ...
      (Security-Basics)
    • RE: Help Exploiting MQ
      ... Message Queuing applications can use ... the Message Queuing infrastructure to communicate across heterogeneous ... Security functions are in MQSEC.DLL. ... > Ethical Hacking at the InfoSec Institute. ...
      (Pen-Test)