IT security vendor McAfee has gone where no other security vendor has gone, so far at least. The company said its intrusion protection system (IPS), Intrushield, has achieved Common Criteria Certification EAL 3.
Common Criteria Certification is typically a critically important certification for defense and other highly sensitive areas of governmental IT operations. Many are mandated to only buy certified products. The rigorous certification standard is recognized in 20 countries and in the U.S is backed by the National Security Agency (NSA) and evaluated under a program called Common Criteria Evaluation and Validation Scheme (CCEVS).
“Defense related business worldwide is highly dependant on Common Criteria certification both in the U.S and in other countries that are signatories to the common criteria mutual recognition agreement,” McAfee Intrushield Director of Product Management John Parker told internetnews.com. “We find that it is very important to have this certification in order to do defense related business.”
McAfee claims that it is the first IPS vendor to achieve the important certification, though its competitor Symantec does have EAL 3 certification for its Manhunt Intrusion Detection System (IDS).
The difference between IDS and an IPS is that an IDS does not contain the prevention mechanisms that are included in an IPS system. EAL 3 is currently the highest level at which either an IDS or IPS is certified. According to McAfee’s John Parker, no vendor has certified to EAL 4 and no one has announced an intention to certify to EAL 4.
“We certainly wanted to raise the bar,” explained Parker. “We wanted to go out and say it can be done, we have done it. And to provide the extra value of level 3 certification as an incentive or attraction to buy our product for defence customers. Some of the competition I fully expect will take heed of that and try and raise their certification. But it’s not a fast process.”
According to Parker, McAfee’s certification process for Intrushield EAL 3 took 16 months. That allowed McAfee to conduct business with certain government agencies throughout the certification process.
“The agencies that we’ve been dealing with typically will accept the ‘in evaluation status’ for a certain period of time,” Parker said.
The Common Criteria EAL 3 certification also holds value for some enterprise IT buyers as well, Parker added. He argues that even those enterprise buyers that are not mandated to buy EAL 3 certified product appreciate the level of rigorous testing that is required.
“It’s not just the product itself that gets certified it’s the product design process that gets certified, the product delivery process that gets certified,” explained Parker. “So it gives you a good idea that you’ve got a vendor that is well qualified and well organized and can distribute a repeatable quality product.”
