General Questions

Hi,

I use m0n0wall for an internet connection and also for a VPN ADSL connection into the UK's NHSNet (National Health Service intranet).

As part of their security process, the NHS requires that the firewall we use be be E3/EAL4 compliant. I have no idea whether m0n0wall conforms to this standard, and Google isn't providing much help (or I'm using the wrong search terms). I can't actually find much information about these standards either.

I'm perfectly happy with our current solution, but as part of a box ticking exercise, it appears our firewall must comply. Can anyone tell me whether m0n0wall does comply with these standards either officially, or unoffically?

Many thanks.

Tom

http://en.wikipedia.org/wiki/Evaluation_Assurance_Level

EAL4 permits a developer to gain maximum assurance from positive security engineering based on good commercial development practices which, though rigorous, do not require substantial specialist knowledge, skills, and other resources. EAL4 is the highest level at which it is likely to be economically feasible to retrofit to an existing product line. EAL4 is therefore applicable in those circumstances where developers or users require a moderate to high level of independently assured security in conventional commodity TOEs and are prepared to incur additional security-specific engineering costs.

Commercial operating systems that provide conventional, user-based security features are typically evaluated at EAL4. Examples of such operating systems are Novell NetWare, SUSE Linux Enterprise Server 9[1] [2], SUSE Linux Enterprise Server 10[3], Windows 2000 Service Pack 3 and Red Hat Enterprise Linux 5.[4]

Operating systems that provide multilevel security are evaluated at a minimum of EAL4. Examples include Trusted Solaris, Solaris 10 Release 11/06 Trusted Extensions[5]and an early version of the XTS-400.


So that's what EAL4 is. And Windows 2000 (SP3!) is compliant...

I think I just need a sticker saying "yes, we comply", but I'd be grateful for any feedback.

There's a lot more to it than saying "yeah, it's compliant". You also cannot certify it yourself. There is an official and extremely costly process to get something certified, and it's generally a royal pain and very expensive.

If a project requires something that's already EAL, m0n0wall isn't going to be a reasonable solution, nor is any other open source firewall unfortunately.

Thanks for your reply.

It depends how they determine compliance - whether it's as you say, a strict formal process - or a check list of whether it does x, y, and z. I'm hoping - admittedly without much hope - that the latter is the case, and that they *consider* m0n0wall to be compliant even if it doesn't come with a sticker saying so.

Thanks again.

Hi,

Just as a follow up, NHS Connecting for Health *do* consider m0n0wall to be an acceptable solution for firewalling both our internet connection and NHSNet connection.

Yay for m0n0wall - again!

Cheers.