On Tue, 02 Feb 2010 18:09 +0000, "Bayard Bell" <buffer.g.overflow@googlemail.com> wrote:
quoted text
> Formal evaluation just means that the features judged relevant to the  
> evaluation can be minimally verified. On the flip side, there's David  
> Litchfield's observation in the introduction to The Oracle Hacker's  
> Handbook: "The Oracle RDBMS was evaluated under Common Criteria to  
> EAL4... However, the first few versions of Oracle that gained EAL4 had  
> a buffer overflow in the authentication mechanism." He goes on to that  
> standards are necessary to some extent but not fully indicative.  
> You'll find summary arguments and starting links off the Common  
> Criteria's Wikipedia entry. Given such limitations, perhaps you might  
> propose a more open evaluation and make code access for audit,  
> including by escrow access for an established third-party authority,  
> as a major criteria?

Common Criteria - http://www.iso15408.net - has largely replaced ITSEC and others. Like some other ISO standards, you may have to purchase a copy. I would say that CC makes some people feel good, but does little in the way of real Security. Microsoft Windows XP is EAL4 certified when configured certain ways. I think the certification process can be very narrowly focused on a few parts of the system so the vendor can say, "Look at this component of our OS, but not those" or "Certify our OS when configured a certain way". 

It's a costly process too and takes awhile to complete. I'm not sure any open source OS is certified. For proft, vendor backed Linux distributions (RHEL) may be as they have the time and money to waste on it and TrustedBSD makes reference to CC, but I don't think it's certified.

Brad
 
quoted text
> Am 1 Feb 2010 um 23:06 schrieb Keith:
> 
> > I've used OpenBSD & PF for a number of years without issue and am  
> > now in the position that I want to create a dmz between the Internet  
> > and my organisations WAN. Our security people are asking if the  
> > firewall that we use is accreditated by ITSEC and I am pretty sure  
> > it isn't but it turns out that our security people will be happy is  
> > the firewall is accredited for use by another government !
> >
> > I am very happy with my PF firewalls and their reliability and don't  
> > want to be forced into purchasing some cisco / forenet comercial  
> > firewall that I've never used before so am desperate to find some  
> > details of any foreign governments that are using OpenBSD / PF as a  
> > firewall or any details of any certification of the PF firewall.
> >
> > Can anyone help me out ?
> >
> > Thanks
> > Keith
> >
> >
> > __________ Information from ESET NOD32 Antivirus, version of virus  
> > signature database 4825 (20100201) __________
> >
> > The message was checked by ESET NOD32 Antivirus.
> >
> > http://www.eset.com