VMware Infrastructure 3 achieves Common Criteria EAL4+


In December 2004 VMware submitted ESX 2.5 and VirtualCenter 1.2 to Common Criteria, the international standard for computer security, obtaining the Evaluation Assurance Level (EAL) 2 over two years later.

The company submitted VMware Infrastructure 3 as well, obtaining the EAL 4+ this week.

The EAL4+, which means that the product is methodically designed, tested and reviewed, is a high level in the Common Criteria ranking (reaching up to EAL7) but the certification value is really meaningful only when compared against a reference model, the Protection Profile, used to verify the functionality and security levels of a certain class of solutions, and a definition document prepared by the vendor, the Security Target, used to describe the security properties of the specific solution.
The protection profiles are written by the industry groups and a security target may use one of more of them as a template.

For example: to certify Windows 2000 Microsoft submitted a security target which used the Operating System protection profile as reference model.
The OS (without any security patches) was ranked EAL4+ in 2005, accordingly to these documents.

At today there is not a protection profile for the hypervisors or the virtual infrastructures, so that VMware has been free to shape the security target without any constrain and being certified for the definition it provided.
This doesn’t mean that the certification is useless, but that the EAL ranking alone doesn’t imply a secure product.

VMware already submitted VI 3.5 for the same EAL4+ certification.

Advertisements

2 thoughts on “VMware Infrastructure 3 achieves Common Criteria EAL4+

  1. You write that VI 3.5 is submitted for EAL4+ certification. I have also heard that, but it is impossible to find any traces of the “ongoing” certification on the web.

    Do you have any links?

    PC

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s