FAST360® Certification
Beyond Certification - Qualification
The Central Information Systems Security Division (DCSSI) is the French organisation authorised to issue security certificates regarding security products and systems. The DCSSI has namely defined a “Processus de Qualification d’un Produit de Sécurité niveau standard” (Security Product Qualification Process – Standard Level) based on the Common Criteria for the Information technology Security Evaluation standard (ISO 15408). The certifications and qualifications resulting from the latter bear witness to the compliance of the products with the security and assurance requirements stipulated in the Common Criteria, as specified in a document referred to as Target of Evaluation (TOE), that the sponsor is appointed to write. These certificates rely on the security evaluation results provided by private laboratories (the Information Technology Security Evaluation Facilities, otherwise known as CESTI), upon completion of Information Technology Security Evaluation procedures, based on the Common Criteria requirement frame of reference. Procedures are carried out within the framework of the French evaluation and certification programme. The Qualification process namely sets out to ensure all of the security objectives and functions contained in the Target of Evaluation presented during the evaluation procedure correspond to the “standard” operational analysis of the product. Hence, the first step of the Qualification process consists of TOE approval between the sponsor and the DCSSI. In the case of Arkoon, the functional scope of the Target of Evaluation includes network flow filtering and translation functions (IP, ICMP) and transport (TCP, UDP), as well as the application filtering modules FAST HTTP, FTP, SMTP, DNS UDP and DNS TCP. Associated monitoring and management functions are also part of the Target. Strategy : to honour Arkoon’s commitments to the common criteria Compliance with the international standard (Common Criteria) is a major goal for Arkoon. For leading clients, SME’s and administrations, consulting the Target of Evaluation of Common Criteria Certification is the best means of ensuring products are up to standard with the security requirements they have strived to meet with. Arkoon has thus put forward the means and resources required to maintain the certificate for its new product versions, and also in order to enhance the Evaluation Assurance Level EAL3, followed by EAL4, without narrowing the scope of the Target of Evaluation. Arkoon is convinced that the Common Criteria, a recent standard, will be universally acknowledged as an indisputable frame of reference and is prepared not just to follow the movement, but to keep up with it, or even to precede it. The French Protection Profile, a DCSSI and ARKOON initiative The French Protection Profile, a DCSSI and ARKOON initiative. Within the development context of the global information society and its securisation, and with the intermediary of the Ministry of the Economy, Finance and Industry (MINEFIDIGITIP), the State (MINEFIDIGITIP) is financially supporting the establishment of a Protection Profile for Firewalls with Standard Qualification, as defined by the Central Information Systems Security Division (SGDN-General Secretariat for National Defense / DCSSI) (SGDNDCSSI). ARKOON Network Security has been entrusted with the running of this project as part of a labelled project. Since 2003, ARKOON has been committed to a vast certification programme pertaining to the security of its products according to the Common Criteria (ISO 15408). This project fits into the scheme of ARKOON’s efforts to optimise the certification approach and to provide users with a clear image of the security functionalities that its products ensure. The main purpose of the call for OPPIDUM projects is to favour the emergence of efficient sales and security solutions in order to keep up with the development of an offer corresponding to SME/SMI, private individual and leading company expectations to enable them to develop electronic interchange with confidence. The Target of Evaluation (TOE) The Target of Evaluation is the reference document describing the scope of CC evaluation. It details the Target of Evaluation and its environment, the security aims of the Target of Evaluation, the functional requirements implemented (SFR) and the anticipated Evaluation Assurance Level (EAL). In the document, the target writer provides a complete presentation of the choice of functional requirements and the anticipated evaluation level. If need be, it demonstrates compliance to one or several Protection Profiles. Definition of the target and its scope is one of the key steps of the certification process. A narrow scope would result in the certification of a set of functions with little significance for users. A scope too wide would burden the company with technical writing and evaluation tasks, and hence lengthen the duration and cost of the project which would then demand a higher budget. As a result, certification could end up being issued to an “outdated” version of the product. The Arkoon v3.0 Target of Evaluation is available in the catalogue of qualified products on site of the DCSSI. The Evaluation process (TOE) I. Preparation Object
II. Evaluation Object
III. Certification Object
Evaluation Assurance Level The part 3 Common Criteria define seven Evaluation Assurance Levels (EAL), of which the general meaning is as follow: EAL1 – functionally tested EAL2 - structurally tested EAL3 – methodologically tested and checked EAL4 - methodologically designed, tested and reviewed EAL5 – designed using semi-formal methods and tested EAL6 – design checked using semi-formal methods and tested EAL7 - design checked using formal methods and tested In the case of EAL2+ or enhanced, the enhancement of the Common Criteria assurance components relates to vulnerability tests, product design, the quality of its associated documentation, its maintenance and development security. For a complete description of the CC assurance level retained, pleased refer to the Qualification page. With regard to the Enhanced EAL2 retained by the Standard level Qualification DCSSI to which Arkoon is committed, the EAL3 level provides the additional assurance for TOE and associated document management. It also provides additional assurance for the depth of tests performed. Please note that the vulnerability analysis level at Enhanced EAL2 level is that of an EAL4. The EAL4 level raises the assurance level pertaining to the functional description of the target of evaluation, low-level product design, source code, version follow-up and delivery. Certificate maintenance Common Criteria certification is obtained for a determined product version. As commercial products are further developed, it is necessary to maintain the certificate to ensure each major product version continues to be certified for the appropriate level of assurance. Within the framework of its Product Engineering management department, Arkoon has put forward the resources and methods required for maintaining the certificate for future major versions of its products. The Common Criteria portal The DCSSI |