HP-UX 11i Common Criteria certification

HP-UX 11i v3 Update 3 is currently in evaluation to Common Criteria Evaluation Assurance Level 4 (EAL4), augmented with ALC_FLR.3 (flaw remediation). It is evaluated in conformance to the new Commercial off the Shelf (COTS) Compartmentalized Operations Protection Profile (CCOPP-OS).

The CCOPP-OS specifies the extensive range of security requirements necessary to solve the security problem that organizations encounter when trying to implement readily available operating systems to handle compartmentalized environments. It is conformant with both the Controlled Access Protection Profile (CAPP) and the Role Based Access (RBAC) Protection Profile. CCOPP-OS also contains requirements for Mandatory Access Control to implement compartmentalization in a real-world environment.

When evaluated against the CCOPP-OS, the HP-UX 11i v3 UNIX® operating system will be certified with the most extensive range of security protections of any commercial off the shelf operating system.

New in this evaluation is an extended range of HP-UX 11i v3 partitioning protections. These are highlighted as:

• Compartments provide isolation of process, memory, and files within a single instance of HP-UX 11i should an attack compromise a portion of the OS. Mandatory Access Controls (MAC) is included.
  
• Virtual partitions (vPars) are soft partitioning solutions that provide granularity and flexibility to cell-based servers. It allows multiple instances of HP-UX 11i to run independently within an nPartition.
  
• Hard partitions (nPars) are previously included in the HP-UX 11i v3 certified configuration for CAPP/RBAC and are also included in CCOPP-OS. Each nPartition provides both hardware and software isolation, so that hardware or software faults in one nPartition do not affect other nPartitions within the same server complex.

HP-UX 11i v3, running on HP 9000 and HP Integrity platforms, is successfully evaluated against the requirements for  EAL4 Common Criteria (ISO 15408) Assurance Level, augmented by ALC_FLR.3 (flaw remediation), using the Controlled Access (CAPP) and Role-Based Access Control (RBACPP) Protection Profiles Common Criteria Certification.

Many enterprise and government customers require this vendor-independent security certification because it increases confidence in the product's security assurance, functionality, quality and effectiveness. Many governments, including the United States, require certification for government IT procurement.

New in this evaluation:  Hard partitions (nPartitions or nPars) are included in the evaluated configuration of the HP-UX 11i v3 operating system. Hardware partitions (nPartition) provide both hardware and software isolation so that hardware or software faults in one nPartition do not affect other nPartitions within the same server complex. Hard partitions (nPartitions) are available on cell-based servers such as rp7420, rp8420, rx7620, rx7640, rx8620, rx8640, and Superdome.  The server is split into a number of cells that can be allocated to the nPartitions. Each cell contains processor(s) and system RAM and may be associated with its own peripheral devices. Learn more about the Common Criteria certification advantage of HP-UX 11i nPartitions.

Customers who wish to duplicate this evaluated software configuration can obtain a special 4-disc media kit (BA4491AA, option A54). The kit contains the DVDs of the February 2007 versions of the HP-UX 11i v3 mission-critical operating environment and Instant Information discs, plus a Common Criteria Supplementary CD that contains patches, documentation and tools specific to the evaluated configuration.

HP-UX 11i v2 running on HP 9000 and Integrity platforms has been successfully evaluated against the requirements for the EAL4 Common Criteria (ISO 15408) Assurance Level, augmented by ALC_FLR.3 (flaw remediation), using the Controlled Access (CAPP) and Role-Based Access Control (RBAC) Protection Profiles. EAL4+ is sometimes used as the abbreviated form for additional assurances

Customers who wish to duplicate the evaluated software configuration can obtain a special 3-disc media kit (B8483AA, option A54) containing DVDs of the May 2005 versions of the HP-UX 11i v2 Mission Critical Operating Environment and Instant Information discs, plus a Common Criteria Supplementary CD that contains patches, documentation and tools specific to the evaluated configuration.

HP-UX 11i has been successfully evaluated against the requirements for the EAL4 Common Criteria (ISO 15408) Assurance Level, using the Controlled Access Protection Profiles (CAPP)

Certification is important to both government and enterprise customers. Many governments, including the United States, require certification for government IT procurement. Enterprise customers also appreciate this vendor-independent security certification because it increases confidence in the product's security assurance, functionality, quality and effectiveness. In addition, the Japanese government is considering a tax break for certified products which will benefit enterprise customers in that country

The Common Criteria certification (CC) permits comparability between the results of independent security evaluations. It does so by providing a common set of requirements for the security functions of IT products and systems and for assurance measures applied to them during a security evaluation. The evaluation process establishes a level of confidence that the security functions of such products and systems and the assurance measures applied to them meet these requirements. The evaluation results may help consumers to determine whether the IT product or system is secure enough for their intended application and whether the security risks implicit in its use is tolerable.

The Common Criteria certification addresses protection of information from unauthorized disclosure, modification, or loss of use. The categories of protection relating to these three types of failure of security are commonly called confidentiality, integrity, and availability, respectively. The CC may also be applicable to aspects of IT security outside of these three. The CC concentrates on threats to that information arising from human activities, whether malicious or otherwise, but may be applicable to some non-human threats as well. In addition, the CC may be applied in other areas of IT, but makes no claim of competence outside the strict domain of IT security. For additional information please click here.