Is EAL4 certification necessary for enterprise firewall products?

Brad Casey, Network Security

I'm using Gartner's recent Magic Quadrant report on firewalls to help choose a firewall for my company. For one of the products, Gartner cautions that it doesn't have EAL4+ level certification for the Common Criteria for Information Technology Security Evaluation. What exactly does that mean, and should it be a deal breaker in certain situations?

Ask the Expert

Have a question about network security for expert Brad Casey? Send them via email today! (All questions are anonymous)

The Evaluation Assurance Level (EAL) is the grade assigned to a product or system after completing a Common Criteria security evaluation. For those who aren't familiar with it, Common Criteria (CC) is a set of security product evaluation specifications used internationally for evaluating information security products. The levels range from EAL1 to EAL7; EAL1 being the most basic -- and therefore cheapest -- to accomplish, and EAL7 the most in-depth -- and expensive -- level of evaluation. 

Many large organizations wish to leverage network devices certified at EAL4 due to the prestige associated with achieving the level. It is also commonly accepted that EAL4 is the highest level of certification any device that is backwards compatible to an existing product line can possibly achieve.

According to research and consulting firm Gartner Inc., achievement of EAL4 means that a device has been methodically designed, tested, and reviewed by an independent third party.  So, lack of EAL4 certification does not necessarily mean that your chosen firewall is insecure, it simply means that your firewall may not have been tested in accordance with Gartner's Magic Quadrant methodology. 

The lack of an EAL4 rating should never be a deal breaker in and of itself.  Many vendors use other security consulting firms to test their network devices, and they work just fine.  No less than Gartner, Inc. itself states that they don’t research every vendor in every market.  This would be infeasible.  So if a vendor product that your organization is considering purchasing has not achieved EAL4 status, this simply means that a little more research is necessary on your part.

View the next item in this Essential Guide: Firewall best practices or view the full guide: Enterprise firewall protection: Where it stands, where it's headed

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Expert Discussion

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest