Security Basics mailing list archives
Re: RE: Is Microsoft ISA approved for US government use?
From: dean.white () oneguard com
Date: 2 Sep 2008 00:16:01 -0000
Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition Service Pack 2 Version 4.0.3443.594 is evaluated to EAL4+. A few important things to remember when using products from the CC are. 1> The device MUST be deployed and managed exactly as per the evaluated configuration, so in this case it has to be Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition Service Pack 2 Version 4.0.3443.594 (patch versions, configuration, even features). If the device can not be installed, deployed and managed as per the evaluated CC target, then a risk assessment has to be performed which assesses how the changes affect the environment and what controls you are going to implement to mitigate the exposure of not using the device in its evaluated configuration. This is even the case if MS bring out patches for the application, and especially so when you are going to use a different version of the application. (Any other version of the application, even minor patches, service packs etc, mean that the device is no longer in the evaluated configuration) 2> On many platforms, only certain features are evaluated. For example, on some devices, the firewall component maybe certified but not the VPN component. You should read through the Target of Evaluation documents and the Certification report to determine what parts of the MS ISA server are certified. So using MS ISA server as an IDS may not be an evaluated feature. Regards Dean White Principal Oneguard Consulting
Current thread:
- Re: RE: Is Microsoft ISA approved for US government use? dean . white (Sep 02)