National Computer Security Center NCSC

1
National Computer Security Center(NCSC)

• CS662 - System Security Certifications and
  Accreditations
• Dennis Follador

2
Whatis.com Definition

• The National Computer Security Center (NCSC) is
  a U.S. government organization within the
  National Security Agency (NSA) that evaluates
  computing equipment for high security
  applications to ensure that facilities processing
  classified or other sensitive material are using
  trusted computer systems and components.

3
NCSC

• Founded in 1981
• Originally called Department of Defense Computer
  Security Center
• 1985 changed name to NCSC
• Works with industry, educators, government
  agencies
• Promote research standardization of secure
  information systems.

4
NCSC

• National Computer Security Center9800 SAVAGE
  ROAD STE 6765FT MEADE MD 20755-6765
• Phone - (410) 854-4376
• Fax - (410) 854-4375
• http//www.radium.ncsc.mil/

5
NCSC

• Computer Evaluation Program
• Trusted Product Evaluation Program (TPEP)
• Test commercial products
• Published Orange Book
• Aug, 1983 - Department of Defense (DoD) Trusted
  Computer System Evaluation Criteria (TCSEC)
• 1985 reissued as DOD standard

6
NCSC Trusted Product Evaluation Program (TPEP)

• http//www.radium.ncsc.mil/tpep/
• Commercial Product Evaluations - COTS
• Level of trust rating using the Trusted Computer
  System Evaluation Criteria (TCSEC)
• The Interpreted Trusted Computer System
  Evaluation Criteria Requirements Rainbow Series
• Trusted Network Interpretation of the TCSEC
  (TNI), 31 July 1987 (Red Book)
• Computer Security Subsystem Interpretation of the
  TCSEC (CSSI), 16 September 1988 (Venice Blue
  Book)
• Trusted Database Management System Interpretation
  of the TCSEC (TDI), April 1991 (Purple Book)

7
NCSC (TPEP) - Evaluated Products List (EPL) A1

• Operating Systems
• No products are currently listed in this section
  at this rating.
• Network Components
• The Boeing Company MLS LAN
• Gemini Computers, Inc. Gemini Trusted Network
  Processor
• Trusted Applications
• No products are currently listed in this section
  at this rating.

8
NCSC (TPEP) - Evaluated Products List (EPL) B3

• Operating Systems
• Wang Government Services, Inc. XTS-200 STOP 3.1.E
  
• Wang Government Services, Inc. XTS-200 STOP 3.2.E
  
• Wang Government Services, Inc. XTS-300 STOP 4.1
• Wang Government Services, Inc. XTS-300 STOP 4.1a
• Wang Government Services, Inc. XTS-300 STOP 4.4.2
  
• Wang Government Services, Inc. XTS-300 STOP 5.2.E
  
• Network Components
• No products are currently listed in this section
  at this rating.
• Trusted Applications
• No products are currently listed in this section
  at this rating.

9
NCSC (TPEP) - Evaluated Products List (EPL) B2

• Operating Systems
• Trusted Information Systems, Inc. Trusted XENIX
  3.0
• Trusted Information Systems, Inc. Trusted XENIX
  4.0
• Network Components
• Cryptek Secure Communications, LLC VSLAN 5.0
• Cryptek Secure Communications, LLC VSLAN/VSLANE
  5.1
• Cryptek Secure Communications, LLC
  DiamondLAN/DiamondLANe (formerly VSLAN/VSLANE
  6.0)
• Trusted Applications
• No products are currently listed in this section
  at this rating.

10
NCSC (TPEP) - Evaluated Products List (EPL) B1

• Operating Systems
• Amdahl Corporation UTS/MLS, Version 2.1.5
• Computer Associates International, Inc. CA-ACF2
  MVS Release 6.1 with CA-ACF2 MAC
• Digital Equipment Corporation SEVMS VAX Version
  6.0
• Digital Equipment Corporation SEVMS VAX Version
  6.1
• Digital Equipment Corporation SEVMS VAX and Alpha
  Version 6.1
• Digital Equipment Corporation ULTRIX MLS Version
  2.1 on VAX Station 3100
• Harris Computer Systems Corporation CX/SX 6.1.1
• Harris Computer Systems Corporation CX/SX 6.2.1
• Hewlett Packard Corporation HP-UX BLS release
  8.04
• Hewlett Packard Corporation HP-UX BLS release
  9.0.9
• Silicon Graphics Inc. Trusted IRIX/B release
  4.0.5EPL
• Unisys Corporation OS 1100 Security Release I
• Unisys Corporation OS 1100/2200 Release SB3R6
• Unisys Corporation OS 1100/2200 Release SB3R8
• Unisys Corporation OS 1100/2200 Release SB4R2
• Unisys Corporation OS 1100/2200 Release SB4R7
• Network Components
• Cray Research, Inc. Trusted UNICOS 8.0

11
NCSC (TPEP) - Evaluated Products List (EPL) C2

• Operating Systems
• Data General Corporation AOS/VS II, Release 3.01
• Data General Corporation AOS/VS II, Release 3.10
• Digital Equipment Corporation OpenVMS VAX Version
  6.0
• Digital Equipment Corporation OpenVMS VAX Version
  6.1
• Digital Equipment Corporation OpenVMS VAX and
  Alpha Version 6.1
• Computer Associates International, Inc. CA-ACF2
  MVS Release 6.1
• IBM AS/400 with OS/400 V2R3M0
• IBM AS/400 with OS/400 V3R0M5
• IBM AS/400 V3R2 Feature Code 1920 Version 2
  Hardware
• IBM AS/400 with OS/400 V4R1M0 with Feature Code
  1920
• IBM AS/400 with OS/400 V4R4M0 with Feature Code
  1920
• IBM RS/6000 Distributed System
• Microsoft Corporation Windows NT, Version 3.5
• Microsoft Corporation Windows NT Workstation and
  Windows NT Server, Version 4.0
• Tandem Computers Inc. Guardian-90 w/Safeguard
  S00.01
• Network Components
• Novell, Incorporated NetWare 4 Network System
  Architecture Design
• Novell, Incorporated NetWare 4.11

12
NCSC (TPEP) - Evaluated Products List (EPL) C1

• Products are no longer evaluated at this rating
  class.

13
NCSC (TPEP) - Evaluated Products List (EPL) D1

• Subsystems
• Fischer International Watchdog PC Data Security,
  Version 7.0.2
• Okiok Data Ltd. RAC/M and RAC/M II version 3.3

14
NCSC Trust Technology Assessment Program (TTAP)

• Establish commercial facilities to perform
  trusted product evaluations.
• (TCSEC) C2/B1 level of trust
• Common Criteria based Security Targets and/or
  Protection Profiles
• TTAP Evaluation Facilities
• Arca Systems
• Booz, Allen, Hamilton
• CoAct Incorporated
• Computer Sciences Corporation
• Cygnacom Solutions
• Science Applications International Corporation

15
NCSC Trust Technology Assessment Program (TTAP)

• May 2000 - TTAP Transition to Common Criteria
  Evaluation and Validation Scheme (CCEVS)
• No new evaluations are being conducted using the
  TCSEC although there are some still ongoing at
  this time.
• Going Forward - Common Criteria for Information
  Technology Security Evaluation (CCITSE)

16
Common Criteria for Information Technology
Security Evaluation (CCITSE)

• Paris, 12 March, 1997
• Original agreement to recognize certificates for
  IT security product evaluations.
• National Security Agency's (NSA)
• Canada (Communications Security Establishment)
• United Kingdom (Communications-Electronics
  Security Group)
• France (Central Service for Information Systems
  Security)
• Germany (German Information Security Agency)

17
Common Criteria for Information Technology
Security Evaluation (CCITSE)

• Federal Criteria Document attempt to replace
  Trusted Computer System Evaluation Criteria
  (TCSEC).
• Draft
• Public comment Dec 1992
• International - Information Technology Security
  Evaluation Criteria (ITSEC)
• Current issue is Version 1.2, June 1991 by the
  European Commission.
• September 1993, IT Security Evaluation Manual
  (ITSEM) which specifies the methodology to be
  followed when carrying out ITSEC evaluations.

18
Common Criteria for Information Technology
Security Evaluation (CCITSE)

• Version 2.2
• Part 1 Introduction and general model
• Part 2 Security functional requirements
• Part 3 Security assurance requirements

19
Common Criteria for Information Technology
Security Evaluation (CCITSE)

• Part 1 Introduction and general model
• Defines the concepts and principles of IT
  security evaluation and presents a general model
  of evaluation. Part 1 also presents constructs
  for expressing IT security objectives, for
  selecting and defining IT security requirements,
  and for writing high-level specifications for
  products and systems. In addition, the usefulness
  of each part of the CC is described in terms of
  each of the target audiences.

20
Common Criteria for Information Technology
Security Evaluation (CCITSE)

• Part 2 Security functional requirements
• establishes a set of functional components as a
  standard way of expressing the functional
  requirements for TOEs. Part 2 catalogues the set
  of functional components, families, and classes.
• TOE - Target of Evaluation

21
Common Criteria for Information Technology
Security Evaluation (CCITSE)

• Part 3 Security assurance requirements
• Establishes a set of assurance components as a
  standard way of expressing the assurance
  requirements for TOEs. Part 3 catalogues the set
  of assurance components, families and classes.
  Part 3 also defines evaluation criteria for PPs
  and STs and presents evaluation assurance levels
  that define the predefined CC scale for rating
  assurance for TOEs, which is called the
  Evaluation Assurance Levels (EALs).
• PP - Protection Profile
• ST - Security Target

22
Common Criteria for Information Technology
Security Evaluation (CCITSE)

• Certified Protection Profiles
• Controlled Access Protection Profile (Version
  1.d)
• Labeled Security Protection Profile (Version 1.b)
• Traffic Filter Firewall Protection Profile for
  Low Risk Environments (Version 1.1)
• Traffic Filter Firewall Protection Profile for
  Medium Robustness Environments (Version 1.4)
• Peripheral Sharing Switch (PSS) for Human
  Interface Devices (Version 1.0)

23
Common Criteria for Information Technology
Security Evaluation (CCITSE)

• Common Criteria, Final Evaluation Reports of
  products that have undergone evaluations against
  U.S. Government Protection Profiles.
• Cisco Systems, Inc., PIX Firewall Evaluation
  Report
• Check Point Software Technologies, Inc.,
  FireWall-1 Evaluation Report
• Lucent Technologies, Lucent Managed Firewall
  Evaluation Report

24
Common Criteria for Information Technology
Security Evaluation (CCITSE)

• International Validated Product List
• Cisco Secure PIX Firewall V6.2(2) UK
• Hewlett-Packard HP-UX (11i) Version 11.11 UK
• Oracle9i Release 9.2.0.1.0 UK
• Red Hat Enterprise Linux AS, Version 3 Update 3
  Germany
• Sun Solaris 9 Release Canada
• Symantec Manhunt Version 2.11 - US

25
Common Criteria for Information Technology
Security Evaluation (CCITSE)

• TTAP transition to Common Criteria Evaluation and
  Validation Scheme (CCEVS)
• May 2000
• Common Criteria Testing Labs (CCTL)
• BAH, CSC, SAIC, etc

26
Common Criteria for Information Technology
Security Evaluation (CCITSE)

• Common Criteria Recognition Arrangement
• Mutual recognition arrangement for IT security
  evaluations.
• Australia, Canada, Germany, France, Japan, New
  Zealand, United Kingdom, US
• Agreed to accept the certificates from countries
  listed above.
• Austria, Finland, Greece, Israel, Italy,
  Netherlands, Norway, Spain, Sweden, Hungary,
  Turkey, Czech Republic, Republic of Singapore

27
References

• http//csrc.nist.gov/publications/secpubs/ncsc_etl
  .txt
• http//www.radium.ncsc.mil/tpep/
• http//www.commoncriteriaportal.org/

28
Conclusion

• Pros
• International Participation Pooling of
  Resources.
• Worldwide mutual recognition of evaluation
  results.
• Cons
• Acceptance?
• Questions?
• Thank You