Security vendor Trusted Computer Solutions, Red Hat and IBM announced Tuesday that the trio of companies would be trying to get the next version of Red Hat Enterprise Linux rated as a secure system according to Common Criteria evaluation on a broad range of IBM eServer systems.
If successful, this evaluation will mean that Red Hat Inc.s RHEL (Red Hat Enterprise Linux) 5, when running on specific IBM eServer system, will meet federal government security standards for assured information sharing within and across government agencies.
Specifically, the forthcoming RHEL 5 has been officially entered in the NIAP (National Information Assurance Partnership)-approved CCEVS (Common Criteria Evaluation & Validation Scheme) this month to bring a new level of security and assurance to Linux.
NIAP is a collaboration effort between NIST (National Institute of Standards and Technology) and the NSA (National Security Agency) to meet the demands of high-level security testing.
CCEVS is NIAPs evaluation program to determine what COTS (commercial off-the-shelf) information technology products meet its stringent security requirements
The CCEVS-approved platform will contain an NSAs SELinux (Security Enhanced Linux)-enabled kernel with policy enhancements. This was the result of work by IBM, Red Hat, TCS (Trusted Computer Solutions Inc.) and the Linux community.
Red Hat has been included basic SELinux functionality since RHEL 4. In RHEL 5, SELinux functionality and management will be considerably improved.
IBM is working with Red Hat to sponsor RHEL 5 certification on IBM server brands, including xSeries, pSeries, zSeries and BladeCenter.
The eventual goal is to get the combination of RHEL, IBM hardware and TCS applications to EAL4 (Evaluation Assurance Level 4).
Once the effort is approved, users will also be able to run TCS cross-domain security applications, such as SecureOffice, NetTop and NetTop2, on RHEL.
“For years our customers have been clamoring for the look, feel, flexibility and functionality of todays commercial software,” Susan Alexander, chief of information assurance research at the NSA, said in a statement.
“With NetTop, based on SELinux, they can get just such an environment without compromising on security,” Alexander said.
“This collaboration and evaluation effort will make Red Hat Enterprise Linux the most secure open-source operating system platform available,” Brian Stevens, Red Hats vice president of operating systems development, said in a statement.
In particular, Stacey Quandt, the Aberdeen Groups research director for security solutions and services, said, “The pending certification of Red Hat Enterprise Linux Version 5 will provide U.S. federal agencies the requisite approval to procure and deploy Linux within their IT environments.”
Further, Quandt said, “This level of industry collaboration and cooperation demonstrates the growing interest in using Linux among federal agencies. The certification will also provide Red Hat with first-mover status in comparison to completely Linux distributions.”
“Of larger significance is that this initiative fuels the potential adoption of a certified Red Hat Linux stack within U.S. government departments and agencies. For instance, Red Hat offers certificate management, clustering and other applications on top of Linux.”
At the same time, the government will win too, according to Quandt.
“The U.S. governments support for Linux is indicative of the shift away from government-developed code and the lower costs associated with commercial off-the-shelf solutions. The U.S. government benefits from the community efforts to enhance the security of Linux with up-to-date technical innovation,” Quandt said.
RHEL 5 is expected to be available in late 2006.