Server maker IBM Corp. and commercial Linux distributor Red Hat Inc. say that they have jumped through the rigorous Common Criteria security certifications used by the U.S. government (and particularly the Department of Defense) to certify if a particular server and operating system stack is secure enough for deployment in sensitive situations.
The Common Criteria certification is the result of the merging of security standards from North American and European governments. It is used by governments to separate products that have demonstrated their security, as audited by expert third parties, from those products that cannot or have not attained the certification. EAL4 is the highest rating, but EAL3 is good enough for government work (so to speak) where Unix systems have sold well in the past decade.
IBM and Red Hat say that they have achieved the CAPP/EAL3+ evaluation level on the Common Criteria tests with Red Hat’s Enterprise Linux 3 WS on xSeries servers (which is important since workstation Linux licenses are often used in supercomputer clusters) as well as Enterprise Linux 3 AS on IBM’s full line of servers. That includes the xSeries Pentium and Xeon machines, the pSeries and iSeries Power machines, the eServer 325 Opteron machines, and the zSeries mainframes. The two companies qualified Enterprise Linux 3, Update 2 on the tests. Update 3 is around the corner, and it is unclear if this update will have to be recertified on this iron again.
In late January 2004, IBM and Novell Inc certified SuSE Enterprise Server 8 with service pack 3 running across the eServer line (xSeries, iSeries, pSeries, zSeries, and eServer 325 Opteron-based machines) to the Common Criteria CAPP/EAL3+ level.