New standard would give seal of approval to networking equipment
Prompted by Texas law, Underwriters Laboratories begins assessing networking devices for security, resiliency
- By William Jackson
- Feb 16, 2011
SAN FRANCISCO — Underwriters Laboratories is ready to begin certification of networking products to meet requirements of a new Texas law.
The law requires certification of equipment used in state networks for resiliency and security.
The product safety lab released the initial version of specifications for a new standard to meet these requirements, UL 2825, on Jan. 31 and announced at the RSA Conference that it is ready to begin product certification.
The program is part of a recent expansion into cyberspace by UL, which was established in 1894 to assess the safety of new electrical appliances. UL was accredited in 2008 under the National Institute of Standards and Technology’s National Voluntary Laboratory Accreditation Program to do cryptographic and security testing against the Federal Information Processing Standard 140-2, and it currently is the only lab accredited to certify networking products under the Texas law.
IP networks have become a utility underlying much of our economy and daily activities and have real safety consequences, said Ken Modesto, principal engineer for the UL program. “That was a big rationale for us getting into this space.”
“Over the last decade, we have shifted our telecommunications from plain old telephone service to Web-based communications,” said Robert Jamieson, director of global commercial operations, Life Safety & Security at UL. Because little security has been built into the Internet, “we’ve gone to a telecom system that is intrinsically not safe.”
Changes in store for Common Criteria
Governmentwide security certification could bolster cloud, report says
The Texas law requires that networking equipment bought by state agencies, including universities, after Dec. 1 be validated on their performance and resiliency to known security vulnerabilities. Vendors must have equipment certified before it can be purchased. The initial UL standard validates real-world performance against vendor claims rather than establishing required levels of performance, much like the Common Criteria used for federal IT security products.
UL 2825, released in January is not yet a formal standard. It is the “first issue of the Outline of Investigation for Resiliency of Network Infrastructure Components, Subject 2825.” The intent is to eventually have it adopted as an industry standard through the American National Standards Institute, Modesto said. The current document describes test standards for evaluating products against published vulnerabilities from the National Vulnerability Database, a standardized listing of vulnerabilities run by NIST.
“This outline does not evaluate the effectiveness of a product to defend against or counter an exploit of a published vulnerability but its ability to continue to operate as intended per the manufacturer’s claims of performance while subjected to the exploit under the test criteria of the published vulnerabilities,” the UL documentation states.
Although the law driving development of UL 2825 applies to all network hardware and software, the initial version concentrates on a handful of components that Modesto described as “the first line of defense for any type of IP infrastructure.” They are:
- Intrusion prevention systems.
- Universal threat management devices.
- Converged network server equipment.
“The intent is to have two or three revisions over the next couple of years,” that will encompass mobile devices and client and enterprise software, Modesto said.
Testing against UL 2825 is done using the Storm Cyber Tomography Machine (CTM) or Fire Storm CTM, high-performance modeling tools from BreakingPoint. The CTMs generate high volumes of application and malicious traffic against network components and detect and measure the effects over time to help pinpoint weaknesses against known vulnerabilities that are regularly updated.
Currently, BreakingPoint has the only devices that can simulate the conditions necessary to validate products against the UL standard, said BreakingPoint CEO Des Wilson.
Wilson said he expects government certification to become a new market for the CTM. Six or seven other states are considering certification requirements similar to those in Texas, and federal legislation also was introduced in the last Congress.
“We’re going to see a number of these over the near term,” Wilson said.
William Jackson is freelance writer and the author of the CyberEye blog.