Security is Red Hat's latest mantra. This week the company announced that JBoss.com, its signature middleware platform, will be subject to the Common Criteria certification process and that Hewlett-Packard Co.will offer multilevel security (MLS) services for Red Hat Enterprise Linux (RHEL 5).
HP's collection of security services includes five support options and is the first set of services of its kind offered on the Linux operating system, said Erik Lillestolen, the government program manager for open source and Linux at HP.
The support options include long-term support; MLS application on-site training; MLS application design, implementation and validation; MLS support and a two-tiered standard-level support pack, Lillestolen said. MLS is designed for customers managing top-secret information, such as government and military agencies, he said.
"An enterprise [Red Hat] customer could implement MLS," said Lillestolen, "however, as a whole they probably would not have a large need for it. Customers in the enterprise sector would probably be best served with single-layer security."
HP also sells and supports hardware running Novell Inc.'s SUSE Enterprise Linux but doesn't offer the same MLS services for the OS because Novell has not undergone Common Criteria certification for the same level of security as RHEL 5, Lillestolen said.
Common Criteria is an internationally approved set of security standards used by governments and businesses worldwide that rates the features of computer systems with seven evaluation assurance levels (EAL). These levels are obtained through an extensive testing and certification process. Both Red Hat and Novell have acquired EAL 4-plus on a variety of hardware offerings from IBM, HP, Unisys and more for their respective Linux operating systems.
HP has achieved Common Criteria certification at Evaluation Assurance Level 4 (EAL4) with the Labeled Security Protection Profile (LSPP). RHEL 5 also achieved LSPP via SELinux, which is an implementation of mandatory access control using Linux Security Module (LSM) in the kernel that was originally developed by the National Security Agency (NSA). SELinux ships with RHEL 5 and is turned on by default.
This is not the first common criteria partnership between Red Hat and a hardware vendor. In May, Red Hat and IBM promised customers LSPP Common Criteria certification for Red Hat Enterprise Linux on System z.JBoss and certification
On the middleware side, Red Hat executives said that the company would pursue Common Criteria certification for the JBoss Enterprise Application platform. Red Hat acquired JBoss, an open source middleware company, for $350 million in 2006, and it began shipping a combined RHEL/JBoss application stack in September 2006.
Many U.S. and European government agencies and other high-level security organizations, including the U.S. Department of Homeland Security (DHS), use Common Criteria certification as a determining factor in making IT purchasing decisions. Morris Segal, a systems architect at DHS, said that the criteria has its limits, though.
"A brick would make EAL 7 as long as there wasn't anything written on it," he said. "The more secure something is, the less functional it is."
Segal said users are probably best served when they use an operating system, application or software suite that has a rating of at least an EAL 3 or EAL 4. With that knowledge in hand, most customers can be assured that the software they buy has been properly vetted by an independent international organization and does not require additional testing on their part, he said.
"Most of us in this business have a different focus than doing security checks. [JBoss] being certified means users won't have to be security gurus every time they install it," he said.