Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Linux
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Vulnerability Assessment of a EAL 4 system

from [Richard Worwood] Network Security [Permanent Link]
Subject: RE: Vulnerability Assessment of a EAL 4 system
Date: Mon, 6 Nov 2006 22:31:51 +0000 
I guess what everyone is trying to says is that just because a device / 
OS combination has been tested to EAL4 doesn't mean your version is 
configured as such. 

-----Original Message-----
From: Takayama Kawika (DTI) [mailto:Kawika.Takayama@state.de.us] 
Sent: 02 November 2006 09:44
To: focus-linux@securityfocus.com
Subject: RE: Vulnerability Assessment of a EAL 4 system

This is one of the only Linux Distro's in production certified for 
EAL4...

"Following in the wake of its previous certifications, Novell's SUSE 
Linux Enterprise Server 9 has achieved EAL4 certification on 'an IBM 
eServer.' This puts SLES9 in the same league as Windows 2000 for sales 
in the government sector and is the first Linux distro to achieve an
EAL4 certification."

Here is more support....
http://en.wikipedia.org/wiki/Evaluation_Assurance_Level

If you have a current EAL level 4 certified system and it is in 
production, it means nothing to the extent other than you have a very 
expensive piece of hardware.  Can you secure it?  If you are looking for 
this answer then my suggestion is to run a series of PenTests against it 
and see.  Rapid7 or CoreImpact or Metasploit or any number of system 
Vulnerability scanners.  If something pops as a finding then address it 
and move on.  But the certification for eal4 doesn't mean anything 
unless you know how to secure the device... That's the bottom line.

Kawika

"Regret for the things we did can be tempered by time; it is regret for 
the things we did not do that is inconsolable." -Sydney J. Harris 

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of castellan2004-fd@yahoo.com
Sent: Wednesday, November 01, 2006 5:12 AM
To: focus-linux@securityfocus.com
Subject: Vulnerability Assessment of a EAL 4 system

I am looking at a Linux server which has been accredited as a EAL4 
system by IBM.  During the assessment, I was looking for standard Linux 
protections like iptables, ssh etc.  On this server, there is no 
iptables.

Regardless, I would like to know how to evaluate a EAL
4 system.  What do you need to look for in the EAL 4 system in 
production that could become vulnerable?

Thank you in advance for any help.
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of castellan2004-fd@yahoo.com
Sent: Wednesday, November 01, 2006 5:12 AM
To: focus-linux@securityfocus.com
Subject: Vulnerability Assessment of a EAL 4 system

I am looking at a Linux server which has been accredited as a EAL4 
system by IBM.  During the assessment, I was looking for standard Linux 
protections like iptables, ssh etc.  On this server, there is no 
iptables.

Regardless, I would like to know how to evaluate a EAL
4 system.  What do you need to look for in the EAL 4 system in 
production that could become vulnerable?

Thank you in advance for any help.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Vulnerability Assessment of a EAL 4 system, shashi
Next by Date:  Re: Detecting Brute-Force and Dictionary attacks, Sebastiaan Veenstra
Previous by Thread:  Re: Vulnerability Assessment of a EAL 4 system, shashi
Next by Thread:  Re: Detecting Brute-Force and Dictionary attacks, Sebastiaan Veenstra
Indexes:  [Date] [Thread] [Top] [All Lists]