Novell IntranetWare, Yes Tested Products Granted Class C2 Rating by National Computer Security Center
Articles and Tips: article
01 Dec 1997
Details on the recent announcement that the National Computer Security Center has certified NetWare 4.11 as Class C2 Red Book compliant. Answers such questions as why C2 is significant and whether and whether Novell is planning other evaluations.
Introduction
The National Computer Security Center (NCSC) announced in October that Novell NetWare 4.11, the network server environment included in IntranetWare, has certified as Class C2 Red Book compliant and is now approved for use in government branches and agencies requiring secure network solutions. Included in the certification is a component of Novell's Yes Program, which certifies partners' products as Class C2 certified when deployed as part of IntranetWare networks. The announcement was made at the 20th National Information Systems Security Conference in Baltimore, MD.
"With this certification, Novell delivers to both private sector and government customers the only Class C2 approved, off-the-shelf client/server solution," said Mike McLaughlin, vice president of Novell's Major Markets. "Organizations such as the IRS, branches of the military, the Federal Reserve, most United States intelligence agencies, and a number of commercial organizations all require the use of Class C2 certified products. We look forward to helping the government continue its network evolution, together with our partners, by providing the functionality, security, and reliability customers have come to expect from Novell."
"Quality security is needed in the commercial products used in the information infrastructure. The Trusted Product Evaluation Program is an example of government and industry partnership to fulfill that need," said Stephen Barnett, Deputy Director of the National Computer Security Center.
"The Novell evaluation is a milestone in the Trusted Product Evaluation Program (TPEP)," Barnett continued. "While Product Evaluations to the C2 Level of Trust have provided assurance to our customers for many years, this evaluation demonstrates the first application of the Orange Book principles taken together with those of the Trusted Network Interpretation (TNI) Red Book in order to evaluate a client server component system architecture.
The system is defined by a Network Security Architecture Document (NSAD) and allows for components to be replaced or added without further need to evaluate the composite system as long as each new component has been evaluated individually and found to meet the C2 requirements of the NSAD."
"The certificates awarded to the Novell Netware Server, Release 4.11, the Cordant Assure EC Workstation, Release 4.11, and Novell Netware 4 Network Systems are a recognition of a very significant achievement in the availability of evaluated commercial products," Barnett concluded. "We are pleased to add these products to our Evaluated Products List and congratulate Novell and Cordant for their accomplishment."
"Novell's approach to Class C2 certification is unique," said Stephen Barnett, Deputy Director of the National Computer Security Center. "It is the first certified networking solution so readily available and built on an open security framework, which allows customers to choose hardware vendors."
Other products have received lesser Class C2 Orange Book certification, which does not include networking components or file sharing capabilities. However, NetWare is the only network system to achieve Class C2 Red Book certification for an entire network solution from client to the server and all the pieces between while offering customers a choice of brand name hardware components.
"The achievement of Class C2 certification is the fulfillment of Novell's commitment to open security architecture," said Dr. Roger Schell, Development Manager, Novell Network Security Products. "From the outset, it was not enough for us to achieve a limited certification. Our focus has always been on a fully secure environment for our network architecture, which includes current and future versions of IntranetWare and our partners' connections to the network as tested and certified through Novell's Yes Program."
Novell chose several IBM PC products as the hardware platforms on which the Class C2 certification testing of NetWare was performed.
"As a result of our efforts with Novell and after having completed the Yes Program Enhanced Security Server test, IBM's desktop and PC server systems are the first to receive the Class C2 security rating," said Trey Smith, chief technology officer, IBM PC Company. "Network security is an increasingly critical issue, and IBM shares Novell's commitment to providing customers with a secure networking environment."
As part of DeveloperNet Labs' testing procedures, the Yes Program ensures full compatibility with Novell networks. All current and future Novell partners who meet the Yes Program's "Enhanced Security Server" testing requirements by passing the evaluated version of the Yes server certification tests are also included in the Cass C2 evaluated configuration with NetWare.
This saves partners time and money by eliminating the need for separate Class C2 evaluations. More than 75 companies have file servers that are currently Yes tested and approved for full compatibility with NetWare 4.11 and IntranetWare and meet Class C2 certification standards. For a list of products completing Yes Program requirements, go to http://developer.novell.com/prodcert/.
Class C2 Security Rating Questions & Answers
Q. What is a Class C2 security rating?
A. Class C2 is a rating granted by the National Computer Security Center (NCSC) for products that have been evaluated against the Department of Defense Trusted Computer System Evaluation Criteria (TCSEC). The standard TCSEC evaluation is frequently referred to as the "Orange Book" (because it is bound in an orange cover). The Trusted Network Interpretation (TNI) of the TCSEC is called the "Red Book" and includes additional evaluation criteria for networks.
These criteria are the measurement against which products are evaluated for degrees of trust that can be placed on any given computer system to provide a level of confidence for government offices and businesses that process classified or other secure information. The Class C2 evaluation criteria is the minimum security rating required by many government agencies and offices (branches of the military, IRS, Federal Reserve, intelligence agencies, etc.) and by many corporations.
Q. What is the significance of a Class C2 rating?
A. Products achieving a Class C2 security rating have been evaluated and tested by an independent third party against a known criteria. In this case, the third party is the federal government. This independent evaluation allows customers to make good purchasing decisions with a basis of trust established by an objective analysis, not just on claims of the vendor.
Q. What is the difference between Orange Book and Red Book classification?
A. The Orange Book evaluates standalone systems only. The Red Book evaluation extends the rating structure of the Orange Book to include network systems. Novell chose to have NetWare evaluated using the Red Book criteria because it is the appropriate test for network security measures.
Q. What is the difference between Novell's Class C2 evaluation and other Class C2 evaluations? Why is this announcement of any significance?
A. Novell believes it only makes sense for networking products to be evaluated as a network. The Class C2 rating of NetWare 4.11 includes the client, the server and everything between. This is the first product to be tested in this way. Other Class C2 ratings have been granted under Orange Book status, which includes only standalone products with no network ties. Novell's evaluation goes beyond standalone ratings to include the entire network, providing customers with a complete, off-the-shelf Class C2 rated solution.
Q. What is the significance of the Class C2 rating of Novell's Yes Program criteria?
A. The Class C2 rating of the Yes Program's "Enhanced Security Server" testing criteria means that all Novell partner products tested under this program automatically receive a Class C2 security rating. This includes all current and future products to complete testing criteria. In addition to eliminating the time and money required of partners to complete their own TCSEC evaluation, this provides consumers with a wide variety of Class C2 servers immediately available to them.
Q. What is the ITSEC (Information Technology Security Evaluation Criteria)? What is E2?
A. The Information Technology Security Evaluation Criteria or ITSEC is a European criteria similar to the TCSEC, but with some important differences. ITSEC emphasizes the integrity and availability of products and systems and introduces the distinctions of effectiveness and correctness. The TCSEC is primarily concerned with security policy, accountability, and assurance.
Various European Certification Bodies grant ratings based upon the ITSEC. Examples of ITSEC ratings are Level E2, which is a measure of effectiveness, and Class F-C2, which is a measure of functionality. A combined E2/F-C2 evaluation is similar in scope to the Class C2 TCSEC evaluation.
Q. Is Novell pursuing or planning to pursue any ITSEC evaluations?
A. Yes. Novell is in the process of an E2/F-C2 evaluation in the United Kingdom and plans to pursue an E3/F-C2 evaluation in Germany.
Q. What is the Common Criteria or CC?
A. The Common Criteria (CC) is a multi-national effort to write a successor to the TCSEC and ITSEC, effectively combining the best of both criteria into a globally consistent security certification program. The goal of CC is to provide global mutual recognition of evaluated products, simplifying security certification for multinational companies.
Q. What is Novell's involvement in CC? What is Novell's position on CC?
A. Novell is investigating the value to its customers of a CC evaluation.
Q. How do I know if a product has been evaluated?
A. An Evaluated Products List (EPL) is available on the Internet at the following address: http://www.radium.ncsc.mil/tpep/epl. Or you can call the Trusted Product Evaluation Program (TPEP) at 410-859-4458 for a current list.
Q. Are there higher security ratings granted by the NCSC?
A. The NCSC grants several levels of security ratings. In ascending order, they are: Class D (minimal protection); Class C1 (discretionary security protection); Class C2 (controlled access protection); Class B1 (labeled security protection); Class B2 (structured protection); Class B3 (security domains); and the highest rating, Class A1 (verified design). For additional information on these security ratings, contact the NCSC at http://www.radium.ncsc.mil/tpep/epl or by calling 410-859-4458.
Q. Will Novell apply for any higher security ratings for their products?
A. Based on feedback from our customers, we believe Class C2 is an adequate security rating and meets the needs of Novell's customer base for commercial systems. As a result, Novell does not currently plan to pursue any higher ratings. However, future Novell products will include features designed to meet the higher levels of security criteria.
Q. Novell started it's security certification process in 1992. Why did it take so long to achieve the certification?
A. Novell established a memorandum of understanding (MOU) with the NCSC in 1992 and reached an evaluation agreement in 1995. The successful completion of that evaluation was announced in the fourth quarter of 1997, a span of five years from the inception of the process. Remember, this was a pioneering effort on the part of Novell and the NCSC. They had never before evaluated an entire network architecture at the Class C2 level. The certification of NetWare 4.11 is now the benchmark for any future Class C2 network evaluations.
* Originally published in Novell AppNotes
Disclaimer
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.