Common Criteria Certification Gets Down to Network Access Control

The proliferation of digital platforms within the government–including mobile devices, cloud computing and the Internet of Things–has increased the sprawl of the computing landscape and with it new vulnerabilities for potential cyber attacks. While (rightly) focusing on securing endpoints and communication lines in a diverse, mobile, and cloud-based environment, network managers also can’t forget about the basics of the computing infrastructure, which if unattended could prove to be the weak links. After all, having a solid door and an alarm system is great, but if you leave a window open.

One key tool for securing the elements of the network is the Common Criteria certification, an international standard that has been evaluating and certifying a wide array of products for years, but until recently has had a potential blind spot with regard to network access control (NAC). Among other steps, Common Criteria can help reduce risks in the supply chain, which by some estimates is the original source of up to 80 percent of breaches and which has been a source of concern for the Department of Defense.

The Federal government requires Common Criteria evaluations to ensure products meet security requirements, and the validation is particularly important for the defense and intelligence communities, as well as critical infrastructure such as power plants and dams. Manufacturers invest in getting Common Criteria validation to meet the requirements of Presidential Decision Directive 63 on Critical Infrastructure Protection, which has been in effect for 20 years.

“America’s national and economic security are increasingly reliant on certain critical infrastructures and upon cyber-based information systems,” according to the directive, which laid out a framework for assessing vulnerabilities, along with eliminating vulnerabilities, and preventing and responding to attacks.

Common Criteria has validated solutions and software in technologies such as wireless access points, switches, Virtual Private Networks, biometric systems, databases, and mobile devices. But not NAC tools, until now.

ClearPass from Aruba Networks, an HPE company, recently became the first, gaining Common Criteria certification for NAC under both the Network Device collaborative Protection Profile (NDcPP) and the Authentication Server Extended Package. The certification was awarded by the National Information Assurance Partnership (NIAP), the U.S. government initiative that oversees the Common Criteria program. ClearPass certification was validated through Gossamer Security Solutions, an independent testing lab.

NDcPP is a baseline for any network-connected device or system–in essence, if a product can connect to a network, it should meet these standards. The tests focused on security requirements covering authentication, encryption, physical security, X.509 certificate validation, known vulnerabilities, and TLS/SSL processing. The Extended Package for Authentication Servers is an add-on for NDcPP and assesses functionality and security specific to RADIUS authentication servers.

NAC is intended to shore up authentication and access for endpoints on a network by unifying security measures such as antivirus, intrusion detection, and vulnerability assessments. ClearPass enables organizations to profile, authenticate, and authorize users, systems, and devices on their networks, Aruba said in an announcement. It allows security teams to keep up with the spread of mobile, cloud, and Internet of Things environments. And it adds one more class of product to Common Criteria’s security umbrella.

No Comments

    Leave a Reply

    Recent