VMware's vSphere 4.0 stack has received its EAL4+ certification for use with military and intelligence services. To pass muster with government military and intelligence services, virtual servers have to show they can eat nails and piss fire just like physical servers and their operating systems. That's one of the reasons why …
But what was the ToE? A hypervisor with no guest OS and not connected to anything?
Security Target Doesn't include key features
This ia all very well and good, but the Target of Evaluation does not include VMWare VMotion, which means that HA features are unavailable. The Target only includes the running of seperate VM's on a single host, you can have multiple single hosts each with their own VM's but migrating live VM's between hosts and using HA features is not supported by the evaluation. Sure, you can power off the virtual machine, assign it to a different host and power it back up again, this gives you a limited amount of flexibility, but it's still a crippled solution.
Government depts have been using VMWare for ages under this basis, the only difference between this situation and what was previously understood is that the eval now takes in to account that the VM instances are sufficiently isolated fromn each other and the host is sufficiently secure as to alow an EAL4+ evaluation. This in the grand scheme of things, doesn't amount to much more than a small pile of beans, because what gov departments want is the assurance that the HA and VMotion features are secure enough to be deployed in a secure environment, they also want the Security Target and Config guide to tell them how that can be acheived.
Introducing the Flawed Machine?
"It takes a while to test and certify a platform using the Common Criteria specs because to get through the EAL4 and higher levels, auditors and security experts have to have access to the source code and go through it with a fine-toothed comb, looking for holes."
That presumably has the weakest link in any chain, a human being, deciding on how strong a system will be. Now that is simply brilliant.
"had its internals poured over by propellerheads"
Should that actually read "pored" or "pawed"?
Or does it mean >EAL5 must have some sort of sauce poured over the source.
Which begs the question, what's the propellorheads' preferred sauce? Ketchup, Wasabi, gravy...
The fact that WinXP SP2 is certified EAL4+ should give us all a good idea of how meaningful the certification is.
When I got to the bit about "Windows XP SP2" being certified at EAL4+ (which it says includes source code auditing) I really wondered what it actually means?
I mean there has been a numerous serious flaws come out since then and this certification audit found nothing? For example, the 'shortcut' DLL initialisation fiasco that helped stuxnet, and that flaw is also present in w2k, also certified, and Vista, also certified.
So it seams EAL certification is more of a tick-box to covering your ass when procuring, and not a meaningful measure of a product being actually secure?