Guest

Security Solutions for Enterprise

Cisco Security & VPN Certification/Evaluation Frequently Asked Questions

Hierarchical Navigation

Why use certified/evaluated products?
What is the difference between certification and evaluation?
What are certification/evaluation levels?
What is the Common Criteria?
Why is the Common Criteria superior to other evaluation standards?
What is Cisco doing with ICSA certification?
Why aren't our certified products listed on the ICSA IPSec web page?
What is FIPS 140?
How do I configure my FIPS 140 certified product in FIPS mode?
What about the new standard - FIPS 140-2?
What is the difference between FIPS 140 and the Common Criteria for cryptographic functions?
What is ITSEC and how does it relate to the Common Criteria?
What is the CESG Assisted Products Scheme (CAPS)?
What are the challenges involved in obtaining certifications and evaluations?

Why use certified/evaluated products?
Security certification and evaluation provide customers with a higher level of confidence about the quality of commercial security products. Securing information systems is all about managing risk, and the use of certified or evaluated products reduces the number of unknowns for overall security functionality. Cisco is focusing on international standards for security certification and evaluation where possible, which offer independent product testing and validation to provide customers with the highest quality, internationally recognized assurance.

[Top]

What is the difference between certification and evaluation?
Although the term certification is often used to refer to any type of formal security assessment process, there is a clear distinction between certification and evaluation.

Certification is a formal verification that a product or function meets a specified standard, or complies with specific minimum requirements and/or tests. Certification is typically used to verify cryptographic function and is driven by specific Government requirements. Some examples of certifications are:

Evaluation, on the other hand, is a structured methodology for examining a product or function to confirm that claimed functionality meets established security objectives. Some examples of evaluation standards are:

  • Common Criteria - an international standard officially recognized by fourteen countries
  • Information Technology Security Evaluation Criteria (ITSEC) - recognized in Europe and Australia
[Top]

What are certification/evaluation levels?
Formal certifications and evaluations provide multiple "levels" of assurance, ranging from paper analysis and simple testing, to analysis of code and in-depth testing, to formal verification and formal testing. Products are submitted to the certification or evaluation process for a specific level. Specific information about levels and what is required for each can be found on the web sites for each certification or evaluation body.

[Top]

What is the Common Criteria?
The Common Criteria is an international standard for evaluating IT security. It was developed by a consortium of countries to replace a number of existing country-specific security assessment processes, and was intended to establish a single standard for international use. Currently, the Common Criteria is officially recognized by fourteen countries, and evaluations can be conducted by any certified Common Criteria laboratory in a member country. To maintain the independent nature of the Common Criteria, evaluation results from a certified lab are submitted to the corresponding country's Common Criteria organization for independent validation. This independent validation process, which distinguishes Common Criteria from some commercial certifications, ensures that the evaluation process is consistent across labs, and that it cannot be influenced by financial motives.

The Common Criteria has several elements:

  • Protection Profile–provides a reusable framework for specifying general security requirements for classes of products and systems (e.g. Intrusion Detection Systems, or Traffic-Filtering Firewalls)
  • Security Target–defines specific security claims for a product
  • Target of Evaluation–defines the particular product or system to be evaluated

Common Criteria evaluations are structured into a number of distinct levels, depending on the amount of detail and the techniques used during the evaluation. For Common Criteria, seven levels are defined - EAL1 (lowest assurance) through EAL7 (highest assurance), where "EAL" stands for Evaluation Assurance Level. Typically commercial products are evaluated in the EAL1-EAL4 range, since the higher assurance levels (EAL5-EAL7) specify requirements (yet to be implemented) that are needed only in the most restrictive government environments.

[Top]

Why is the Common Criteria superior to other evaluation standards?
The Common Criteria has several characteristics that define it as the "gold standard" for security evaluations.

First, the Common Criteria was developed by combining the best security evaluation practices from six nation's existing security evaluation standards, including the US NSA "Orange Book" TCSEC and the European/Australian ITSEC. Fourteen countries have signed an agreement to recognize this best-of-breed standard for high-quality IT security evaluations.

Second, the Common Criteria sets and maintains stringent standards for the evaluation criteria as well as for the conduct of evaluations. Any laboratory that wishes to conduct Common Criteria evaluations must be certified through a rigorous process, and must maintain that certification through periodic re-inspection.

Third, and most important, the Common Criteria is an independent evaluation of security assurance. Evaluation testing results are submitted to the Common Criteria scheme in the lab's host country for validation to insure that the evaluation process has been followed correctly, to enforce consistency across labs, and to prevent any financial motives from influencing the evaluation outcome.

[Top]

What is Cisco doing with ICSA certification?
ICSA is a commercial security certification body that offers "black box" type of testing for various types of security products. Cisco participates in ICSA's IPSec Interoperability program as well as their Firewall program. See Products by Certification for the current status of Cisco products certified under ICSA.

[Top]

Why aren't our certified products listed on the ICSA IPSec web page?
ICSA periodically updates its testing criteria, and re-tests products certified under the previous version. When they complete the initial round of testing, ICSA archives the list of products certified under previous criteria. Cisco's IPSec products were certified under criteria version 1.0A, and ICSA is now testing under 1.0B. A few other vendors have passed the 1.0B testing already, and so the 1.0A certified products list is now archived on the ICSA site. Cisco expects to complete the needed changes to meet the new criteria soon; please refer to the archived 1.0A IPSec certified product list in the interim.

[Top]

What is FIPS 140?
The Federal Information Processing Standard (FIPS) 140 is a US and Canadian Government standard that specifies security requirements for cryptographic modules. FIPS 140 has four levels of assurance: Level 1 is the lowest and Level 4 is the most stringent. Each level builds upon the one below it, so a Level 2 certification means that a product meets the requirements for both Level 1 and Level 2.

FIPS 140 testing is done by independent vendor laboratories that have been certified, and the results of product certification testing are submitted to the National Institute of Standards and Technology (NIST) in the US, and the Canadian Security Establishment (CSE) in Canada for independent validation. Just as with the Common Criteria, the value of the FIPS 140 process comes from rigorous standards for both the module being tested as well as the laboratory conducting the test, combined with the independent validation of test results.

[Top]

How do I configure my FIPS 140 certified product in FIPS mode?
For every FIPS certified product, Cisco offers a new orderable part - the 'FIPS Kit'. The Kit contains all the information and the special tamper-indicating seals that are needed for the customer to properly configure a FIPS 140 certified product into a FIPS mode of operation. This information includes instructions on where to download the certified FIPS Security Policy document as well as where to obtain the certified version of the software. Customers who wish to configure their certified products in a FIPS mode of operation should purchase one FIPS Kit per product.

[Top]

What about the new standard - FIPS 140-2?
The current FIPS 140 cryptographic standard is FIPS 140-1. A revised version of the standard, FIPS 140-2 was signed by the Secretary of Commerce on 25 May 2001. FIPS 140-2 testing can not begin until after NIST/CSE releases the revised Derived Test Requirements (DTRs) - possibly late Fall '01. One change from the draft 140-2 standard is that FIPS 140-1 certifications will be valid forever, and customers can continue to purchase new products certified under either version of the standard indefinitely. The most significant date for vendors is 25 May 2002 - which is the last day to submit FIPS 140-1 packages to NIST/CSE for validation. After that date, all new submissions must occur under the new -2 standard. Just to re-iterate, all FIPS 140-1 certifications will remain valid indefinitely, and products certified under FIPS 140-1 can be sold indefinitely.

[Top]

What is the difference between FIPS 140 and the Common Criteria for cryptographic functions?
FIPS 140 is concerned with testing a cryptographic module against specific standards for cryptographic functions, using approved cryptographic algorithms. Common Criteria is a more general IT security standard for evaluating security functionality which may include cryptographic functions, but not to the level of detail called for in the FIPS 140 standard. The Common Criteria examines whether or not the general cryptographic functions perform as claimed by the vendor, where the FIPS 140 standard requires a cryptographic module to implement algorithms, key management and cryptographic self-testing (to give some examples) in a very specific manner. Products with significant cryptographic functionality may be evaluated under the Common Criteria for overall security functionality, and may also have their cryptographic modules certified under FIPS 140 (or the UK's CAPS, or the Australian CAN - which ever is appropriate).

[Top]

What is ITSEC and how does it relate to the Common Criteria?
The Information Technology Security Evaluation Criteria (ITSEC) was originally developed by four European countries to complement the US Trusted Computer Security Evaluation Criteria (TCSEC) or "Orange Book" in the 1980's and early 1990's. The US TCSEC and the European ITSEC were the predecessors of the Common Criteria, with similar properties such as multiple levels of assurance. ITSEC has largely been replaced by the Common Criteria in order to leverage the wider international recognition that the Common Criteria offers.

[Top]

What is the CESG Assisted Products Scheme (CAPS)?
The UK Government's Communications-Electronic Security Group (CESG) Assisted Products Scheme (CAPS) is an effort to help commercial product vendors produce cryptographic products suitable for use by the British Government for all but the most sensitive applications. CAPS has a similar purpose for the UK Government as FIPS 140 does for the US and Canadian Governments, and as the Cryptographic Advisory Note (CAN) does for the Australian and New Zealand Governments.

[Top]

What are the challenges involved in obtaining certifications and evaluations?
The challenge to achieving and maintaining certifications and evaluations comes from the fact that the process is not developer-friendly - it is slow and costly. Further, many certifications and evaluations are accepted in only one country, and a similar process may need to be repeated to demonstrate the same level of assurance for another country. This problem adds considerably to the time it takes to achieve the high-value credentials that our customers require.

[Top]