atsec information security Evaluates Red Hat Linux 4 Update 2 at Common Criteria EAL3

atsec information security is proud to announce completion of its Common Criteria evaluation of Red Hat Linux 4 Update 2 at evaluation assurance level (EAL) 3 in just six months. The accomplishment adds to atsec’s unparalleled reputation for timely completion of Linux evaluations; since December 1, 2004, atsec has initiated and completed five Linux evaluations at EAL3+ and EAL4+ for three different customers. The timely completion of evaluation projects is critical if sponsors are to reap maximum benefit from their investment. atsec’s proven success in timely evaluation of Linux products is attributable to the extensive experience of its Linux product evaluators, its ongoing working partnerships with Linux product sponsors, and its excellent relationships with the Common Criteria certifying and validating bodies.
Red Hat Linux 4 Update 2 was certified by the U.S. National Information Assurance Partnership (NIAP) Common Criteria Evaluation and Validation Scheme (CCEVS) as conformant to EAL3+ and the Controlled Access Protection Profile (CAPP), which specifies a set of security functional and assurance requirements for IT products. The operating system is certified on HP server platforms including Itanium 2 processor based servers, and Intel Pentium/Xeon based servers with EM64T 64-bit extensions and HP AMD Opteron processor. HP sponsored the evaluation effort.
Completing evaluations efficiently and with limited resource investment by NIAP is essential for the success of the evaluation program, as pointed out in a recent report by the Government Accountability Office (GAO) on Common Criteria evaluations. atsec supports these goals and has demonstrated with this project that Common Criteria evaluations under the NIAP scheme can be done efficiently, satisfying some of the challenges the GAO report identified.
In fact, atsec information security is the world leader in Common Criteria evaluation of Linux, which is the world’s most scrutinized operating system under the Common Criteria. In less than three years since atsec pioneered evaluation of open source Linux systems in its successful August 2003 effort to certify SUSE Linux 8, the company has recorded ten successful Linux evaluations on five different distributions on a large range of hardware platforms (Intel Xeon 32-bit and 64-bit platforms; Intel Pentium based platforms; IBM iSeries, pSeries, zSeries, IBM eServer Opteron based systems; HP Opteron based systems; HP Intel Itanium based systems, and SGI Altix massive parallel systems based on Itanium processors) to two different national Schemes, CCEVS NIAP in the U.S. and BSI in Germany. It is noteworthy that for each of the ten completed evaluations, atsec examined a unique combination of Linux distribution, hardware platform, and vendor-specific supporting software.

Operating system evaluation is the greatest test of competence in the field, and atsec continues to earn its reputation as the world leader in this sphere. Helmut Kurth, atsec Chief Scientist, notes: “Of the 42 successful operating system evaluations performed world-wide as listed on the official Common Criteria Portal web site (www.commoncriteriaportal.org), 22 were performed by atsec.”
The conclusion of the Red Hat Linux 4 Update 2 evaluation closely follows completion of two milestone operating system evaluations: Red Hat Enterprise Linux 4 at EAL4+ conformant to CAPP, and IBM z/OS V1R7 at EAL4+ conformant to CAPP and the Labeled Security Protection Profile (LSPP). Continuing its pioneering efforts, atsec is conducting the first ever evaluation of a Linux product with the SE-Linux security enhancement against the Labeled Security Protection Profile (LSPP) in its examination of Red Hat Enterprise Linux 5. Linux industry experts have noted that this evaluation is particularly important because it might represent a historic opportunity to integrate security features that are currently specific to the security Linux branch back into the mainstream commercial Linux branch.
atsec is one of only four companies worldwide with multiple evaluation labs accredited to perform evaluations under two different national schemes. atsec labs have been accredited by NIAP CCEVS in the U.S. and BSI in Germany to perform evaluations using the Common Criteria standard. Eligibility to perform evaluations under both major schemes and the availability of a large (40+) staff of qualified evaluators, enable atsec to offer its customers both maximum flexibility, and proven expertise and experience in Common Criteria evaluations. For more information about atsec’s qualifications and competence, see www.atsec.com. For independent confirmation of atsec’s competence and reputation, visit the NIAP or BSI websites, or contact NIAP or BSI directly.
Scrutiny of Red Hat Linux 4 Update 2 continues. Evaluation at the more rigorous evaluation assurance level 4 begins immediately.


# # #

About atsec information security
atsec information security is an independent, standards-based IT (information technology) security consulting and evaluation services company that combines a business-oriented approach to information security with in-depth technical knowledge and global experience. atsec launched its U.S. business in May 2003, building on extensive success in Europe dating back to 2000. atsec leverages its deep security, process, and standards expertise to consult on a wide range of IT security needs, enabling clients to establish integrated security management procedures in order to manage security risk and improve data, product, and business process reliability. atsec works with leading global companies such as IBM, HP, BMW, SGI, Swisscom, RWE, and Vodafone. For more information, please visit www.atsec.com.