On Tuesday, 11/04/2008 at 02:20 EST, "A. Harry Williams" <[EMAIL PROTECTED]> wrote:
> There is a 4th very important that I'm sure Alan will chime in with, > EAL, Evaluation Assurance Level. - z/VM 5.3 is EAL 4+ using protection profiles CAPP and LSPP. - z/OS 1.9 is EAL 4+ using protection profiles CAPP and LSPP. - RHEL 5 is EAL 4+ using protection profiles CAPP and LSPP - SLES 10 is EAL 4+ using protection profile CAPP - VMware ESX Server 3.0.2 with VirtualCenter 2.0.2 is EAL4+ with no protection profile - System z LPAR is EAL 5 with no protection profile "CAPP" covers, among other things, authentication, discretionary access control (authorization), and audit. "LSPP" expands on CAPP by adding "labeled security" which is a type of mandatory access control wherein the system can override the wishes of a resource owner (or admin) based on roles. These allow a simple apples-to-apples comparison of functionality. Without a standard protection profile, such as for VMware and LPAR, you must carefully read the Security Target, a document that enumerates the vendor's claims. Don't be deceived by the "EAL" number. It is a measure of the amount of evidence (assurance) that the vendor has provided to the evaluator to support the claims in the Security Target. It also measures the amount of effort expended by the evaluator to assess the evidence. A higher evaluation assurance level (EAL) does NOT mean it is "more secure". And the "plus" at the end indicates that there is a mechanism to report, track, fix, and deliver fixes to the security-relevant parts of the system, a.k.a. "flaw remediation". Alan Altmark z/VM Development IBM Endicott