Agree here. I understand that NIAP is moving away from EAL levels with Security Targets and more to a Protection Profile based assesment BUT..... on the NIAP webpage the PP for virtualisation is only due out in Q3 2013 it says and with vCNS still listed as going for EAL4+ it is creating confusion.

I would would really help if Eric you could put a blog together explaining the differences and changes and thus the rationale behind the vCNS and vSphere submissions.

Matt

Well that makes two of us Matt.

I sometimes wonder how many users care about the certification details and how many are just happy to see that a product achieves certification.

Protection Profiles would make sense, particularly for areas of protection like the VM resource and fault isolation. I'd expect to see the most repeated protections related to virtualisation applications would be implemented in the hypervisor / supervisor / monitor components. So maybe that's another reason vSphere 5.1 is going for EAL2+ and there is further work going into describing vSphere 6.0 in terms of the proposed PP?

Or maybe CCEVS will drop out of favour as the Software Defined Data Centre pushes the what and how of security certifications.

Some of VMware's certification strategy may be commercially sensitive, but if Eric was to put together what you've suggested then I'd certainly be very interested.

I'm a member of the lab that's certifying this product, so I'll spare Eric some work.

EAL4+ evaluations are not possible any more in any of the "5 eyes" jurisdictions as they have all moved away from them at the same time.   Canada (the home of the CCCS under which this is undergoing evaluation) will only accept evaluations that conform to a protection profile as listed by NIAP - see http://www.niap-ccevs.org/pp/ or at EAL2.   As there is no approved PP for this technology there is no way that it could have fallen under the "PP" route.

That means that this one will be done at EAL 2+ with an ST, which is the maximum assurance level possible.   NIAP's position is that it's extremely difficult to do an EAL4, certainly to do it properly and doesn't merrit the additional expenditure from the vendor's perspective.

As an aside, the assurance level has more to do with the evidence provided by VMware to the lab as opposed to the "security of this version".   Just becase someone may have looked at the source code for the EAL4 doesn't mean the EAL2 is less secure because there was no independant code review, there is simply less independant assurance.

One final note.  vCNS started more than 12 months ago when the EAL4 evaluations were still possible to start (and it was one of the last ones done by CCCS).   You won't see the vSphere 5.1 evaluation taking this long.

Thanks for the explanation Shawn.

While I knew there was a vision statement relating to CCRA last year, I wasn't aware that transitional arrangements had effectively come to an end.

With the drop from EAL4 to EAL2, the assurance users could expect to receive would fall mostly on product testing. Much of the evidence of security engineering and process-based assurance would go unevaluated, which I think does go to the security of version vSphere 5.1 (over 5.0) as a maintenance report isn't being used to address it.

Some of the changes between the last two vSphere Security Targets (say, some data protection moving between classes) have indicated potential testing differences, if not differences in security function implementations. The future use of one or more Protection Profiles for vSphere evaluations would likely reduce the importance of closely following STs between releases, however users may wish to make new assumptions about threats and protections after carefully considering the vSphere 5.1 ST until then.

Unfortunately there is a bit more work in securely using vSphere than certified Type 2 hypervisors as those other evaluations may reference a General Purpose Operating System PP. With a software ecosystem as large and detailed as VMware's is becoming, a single PP seems infeasible for vSphere let alone vCloud. That timing resulted in an inconsistent leveling for vCNS and vSphere (and tcServer) is understandable, but this update is still odd for not discussing composition assurance and packaging.

It is understandable that VMware would prioritise persuing evaluations that are most widely recognized and required. The reason for the drop from EAL4+ to EAL2+ is therefore quite clear, although not necessary.

With much of the burden of evidence-based evaluation lifted from VMware for CC certification, one would expect the continuing commitment to security and compliance to conspicuously appear elsewhere.

Do you know if the Flaw Remediation requirements of the Lifecycle Support Class will still form part of the mutual recognition arrangement for non-PP evaluations?

I'd suggest the discovery or introduction of security vulnerabilities - that were not publicly known or present at the time of evaluation - is of great practical importance to users. It would be of reassurance, I think, if your lab were to evaluate evidence of VMware's continued conformance to ALC_FLR.2. Likewise, I think it would be of great reassurance if VMware comitted to timely correction of flaws by submitting its processes to an evaluation of ALC_FLR.3.

- Shanon

Thanks Eric.

Hello everybody,

I have a question related with this topic, acording with  the documentation, I am not sure if EAL 3+ is supported now a days, indeed my question is,  vmware support the EAL 3+ for vswitches???, could you please tell me something about it???

thanks kind regards.