Citrix XenServer & VMware ESX Common Criteria Certification

As some of you already know, Citrix have sponsored XenServer, XenDesktop, XenApp, and Netscaler into the Common Criteria program for Information Technology Security Evaluation (CC). We have had several questions about the announcement and what it means for both VMware and XenServer in particular. Since 1 or 2 of us at 360is were there way-back when Common Criteria & ITSEC first started seeing mainstream IT products submitted for evaluation, we thought we would take this chance to answer some of your questions in this posting.

What is Common Criteria (CC)?
CC is an attempt to reduce duplication of effort of the IT security evaluation functions of several governments (6 in all). CC is an international standard that describes how product vendors may make claims about their security software or hardware, and have independent laboratories investigate these claims and certify the product has been designed and built in a way that meets the vendors claims and can be relied upon to function as described.

What is EAL?
Within CC, products are examined to an Evaluation Assurance Level (EAL). EALs are numbered currently from 1 to 7, with 7 being the most detailed, most stringent level of scrutiny that a product is put under. VMware ESX and ESXi 3.5 were certified to EAL4+ in February 2010. Citrix have submitted their products for the EAL2 process this month.

So An EAL4 Product Is More Secure Than An EAL2 Product?
No. This is probably the most common misconception about CC. A higher EAL number means only that the product passed a deeper level of scrutiny of the vendor's claims. For example, I might have a simple weak encryption application that passes EAL7, because it was found to meet my claims without fault, and its design and execution was found to be exemplary even when "put under the microscope" of EAL7. A much stronger encryption application, that would protect my data better using a strong algorithm, might only be submitted for EAL2, because I want to get some kind of basic certification quickly so I can sell to my government customers. There are also a number of misconceptions around how vendor claims are tested. In our experience, code review is only done at EAL 6 or 7 for example.

What Claims Might A Vendor Make?
The scheme allows for vendors to tailor their claims based upon their product and the way it is to be used. This means that a Firewall is not subject to the same investigation as an Email system or a Desktop OS. A vendor with a Firewall might claim that in order to administer the device you must pass 2-factor authentication, and can only do so over a strongly encrypted connection, and that there are no other possible way of gaining admin access. Such a claim would be investigated to the required depth as part of the CC certification. Another example of a popular claim might be "the admins can't automatically read everyones Email". CC tests these claims are true to a certain depth. Documentation is a vital part of passing an evaluation.

Does It Matter What Version Gets Certified?
Yes. It matters very much. Just because version 1 of a product received certification, it doesn't mean that v2 or even v1.0.1 is certified. The product must be resubmitted into the evaluation process for it to be re-assessed. This is because CC evaluates vendors claims for a given version and even a given configuration of the product. It is normal for a product to be obsolete by the time it passes certification. You could argue this is made worse by the pace of change in commercial software, with many companies pushed to make 1 major release per year and 2 functionality patches, alongside the 4 critical security related hotfixes, all of which take a product outside its certified condition.

How Long Does It Take?
For product of similar size/complexity, the higher the level of assurance the longer the evaluation takes. Expect to see an XenServer (we presume v5.0 or v5.5) certified within the next 6 months. A CC certification can be an expensive business, in our experience of the process (mainly CheckPoint-FW1 and Harris CyberGuard) the cost is £200K-£400K.

Who Cares If A Product Is Certified?
Mostly it is government buyers or those who have to work closely with government agencies, exchanging information with them, or connecting directly to them. Often such customers are restricted to choosing products from the catalogue of evaluated solutions. However, depending on the sensitivity of the information being handled by the IT, an EAL certified may not even be required.

Where Can I Find Out More?
As ever, Wikipedia is a good start.
Check the Portal for certified products.
Or talk to us.

Updated 14-09-2010: XenServer has now been granted it's certification.