please consider German BSI certification

[JimYuill]

The OP is 6 months old, but for anyone who ends-up here looking into CC...

Back in 2008, I wrote a paper on the published criticism about CC.
I presented the paper at a DoD conference.
“Common Criteria: A Survey of Its Problems and Criticism”
Department of Defense Cyber Crime Conference 2009, St. Louis, MO, January 2009

I just put the paper on my website, FYI:
https://jimyuill.com/cs-research/comp-sec-papers/

The paper is dated, but may be useful, as some of the problems likely persist.

Abstract: The Common Criteria (CC) is a computer-security standard that some governments use for procurement, e.g., the U.S. Department of Defense. To sell information-security products in these markets, CC certification is required. Much has been published about problems with CC, and there is extensive criticism of CC. For example, a director of the U.S. CC program was recently quoted as saying, “Defending the program is a full-time effort. It is a difficult job.” This paper presents a survey of the problems and criticism reported about CC. The paper provides: (a) a categorization for the reported problems, (b) a survey of the reported problems, organized by category, and (c) an annotated guide to the sources that were especially useful and authoritative. This paper is intended as a resource for those who are: evaluating CC for possible use, preparing to use CC, or researching CC itself.

The criticism about CC fell into three categories:
* Problems with CC’s effectiveness
* Problems with CC’s stated limitations
* Problems with CC implementation

[dstr]

another update. The opnsense hardware distributor just tried to catch us with BSI promises. Then sold us a overpriced garbage device that failed on the initial installation. Therefor opnsense is not on the list anymore after 2026. Maybe I reach the 100 active devices until then.

[franco]

With all due respect I don't think your posts (old and new) ooze professionalism. Part of it is knowing when to stop a discussion and the other part is knowing not to throw shade at random anonymous entities allegedly screwing you over. You can solve all those things in business scopes yet you choose to drag them out in public.

It's time to let this thread go.

[doktornotor]

Does BSI stand for BullShit Initiative, or what? Wasted 10 minutes of my life trying to make sense of what this thread is about... Next time, I'd rather have some beer. WTH.

[Patrick M. Hausen]

It's Bundesamt für Sicherheit in der Informationstechnik - Federal Bureau for IT Security, and they do publish a lot of pretty good things. Like the IT Grundschutzhandbuch - IT Basic Security Manual. A catalog with concrete advice for dozens of products and protocols and their respective recommendations.

My core argument is that their certification is so niche, no major vendor actually cares and I know of no large enterprise (and I worked for quite some) that would run anything but Cisco, Juniper, Checkpoint, Fortigate, ... all not BSI certified.

Only vendor that regularly re-certifies their firewalls with BSI is german Genua. They specialise in winning government contracts 
The downside: their firewall actually cannot do much. Think of TIS FWTK or very early Gauntlet. Yes - that. So the firewall is highly secure, but it does not support many applications or modern concepts.

Kind regards,
Patrick

[doktornotor]

Oh, OK, sounds pretty standard then - certification made for the sole purpose of being able to make the befriended vendors win in public tenders. I guess OPNsense rather needs the Dutch variant of the BSI certificate.  

[dstr]

Oh, OK, sounds pretty standard then - certification made for the sole purpose of being able to make the befriended vendors win in public tenders. I guess OPNsense rather needs the Dutch variant of the BSI certificate.  

yes makes sense that opnsense should apply to dutch regulation. currently it looks like for critical infrastructe (where it comes to real security and not just homelab security) they will change laws, so you can only use hardware/software built in germany. at that point, opnsense would not able to use anyway for real security needs (in germany).

[franco]

opnsense would not able to use anyway for real security needs (in germany).

I think we already know that was your opinion from the start. No need to reiterate.


Cheers,
Franco

[Patrick M. Hausen]

they will change laws, so you can only use hardware/software built in germany.

Yeah, I can see Siemens, Deutsche Bank, Volkswagen, ... all throw out their million Euro worth of Cisco and Checkpoint gear for some "real security"