NetWare 4 Enters Final Phase of C2 Evaluation

On Track to Receive First Client-Server Network Rating

NCSC Class C2 Security Evaluation Criteria Technical Background [link removed]

PROVO, Utah — August 28, 1995 — Novell, Inc., today announced that on August 4, 1995, NetWare® 4 formally entered C2 evaluation at the National Computer Security Center (NCSC), part of the National Security Agency. NetWare 4 will be the first general purpose network operating system to receive a Trusted Network Interpretation (TNI) Class C2 rating resulting from evaluations of a server component, a client component and a complete network. The NCSC's evaluation will ensure that NetWare 4 provides the most secure and robust network operating system available.

The Novell evaluation is against the NCSC's TNI of the Trusted Computer System Evaluation Criteria (TCSEC). Novell has entered this evaluation along with Cordant®, Inc., whose Assure# product provides the critical security capabilities for the workstation to control access to the network and to local memory and peripherals.

Security is one of the seven basic network services required by customers. According to Richard King, executive vice president and general manager of Novell's Systems Group, "Novell has always been committed to providing the highest level of security in our products. Customers need to know that the information on their entire network is protected. By entering the formal evaluation of a TNI C2 rating, we continue to show that no other network operating system on the market can match NetWare 4."

According to John Pescatore, research director for IDG's Information Security service, "Security is of vital importance for the computing industry. The value of the NCSC's C2 evaluation program is that it provides an independent, objective rating of security systems. While a C2 rating is not a panacea, it has become a standard for commercial businesses as well as government and military organizations. Customers are using it as a differentiator when making product purchasing decisions."

"Our evaluation of NetWare and Assure is the first of its kind," said John Davis, director of the NCSC. "No other evaluation has been performed on a complete client/server system capable of operating across a network in the way people will actually use it. We are confident that our evaluation of Novell and Cordant's network system will justify the trust their existing customers have already placed in the security designs of these companies."

Tom Ballard, vice president of Federal Operations for Cordant, states, "When Novell first approached us with the idea of participating in the C2 evaluation process, we immediately recognized the value of such an initiative. Security of sensitive and critical information has and will continue to be of vital concern to not only government organizations, but also to crucial electronic commerce activities across the network. The evaluation process has allowed us to continually improve the security of our systems. We look forward to receiving the TNI C2 rating, which will justify the tremendous confidence we have in our products."

"Our working relationship with Novell and Cordant has been one of total cooperation," said Dennis Kinch, chief of NSA's Trusted Product Evaluation Division. "Since the NetWare evaluation is the first one where we have separately evaluated heterogeneous components as part of a client-server networked system, we have gone through a learning experience along with both companies. The experience of working in such as collaborative way has been a great opportunity for everyone involved."

Security Evaluation Criteria

The NCSC and Department of Defense have defined the requirements for security evaluations of operating systems and networks. Evaluations based on the TCSEC, commonly referred to as the "Orange Book," determine the security of a standalone system, such as a client workstation or server, but make no judgment as to the security of that system within a networked environment. In other words, a product that has received a TCSEC C2 rating invalidates that rating when hooking into a network. By contrast, the TNI, known as the "Red Book," is an expansion of the TCSEC criteria for networked systems for determining the security of network components and the network as a whole.

Novell Open Security Architecture

Novell has a program to allow other vendors to qualify for a C2 evaluation rating as part of a NetWare network. Novell's open security architecture allows hardware manufacturers to submit their systems to be evaluated as part of a NetWare 4 network without having to repeat the entire evaluation for the server component or network system.

E2 Evaluation for NetWare 4

NetWare 4 is currently also in the evaluation process for an E2/F-C2 rating through Electronic Data Systems, a European Commercial Licensed Evaluation Facility. The criteria for an E2/F-C2 rating are similar to those of the NCSC and require essentially the same functions--identification and authentication, discretionary access control, audit and object reuse. Since the E2 evaluation is so similar, all of the relevant preparation work carried out for the TNI C2 program provides valuable input for the European rating.

Novell is pursuing the C2 and E2 ratings as a significant step along the path of expanding security services for existing as well as emerging advanced computer technology environments. The milestone announced today adds to Novell's foundation for growing security capabilities. Novell will continue to build upon this foundation to meet customer needs for more convenient and capable security services.

For more information about Novell products and services, customers can call 1-800-NETWARE or visit the Novell home page at http://www.novell.com.