Log in

No account? Create an account
Ramblings Journals I Read Calendar The Dirt MegaZone's Waste of Time Older Older Newer Newer
MegaZone's Safety Valve
The Ramblings of a Damaged Mind
My tweets
From: ninjarat Date: October 18th, 2012 11:07 pm (UTC) (Direct Link)
Here's something that will bake your noodle: Windows 2000 SP3 and every released version of Windows since have EAL level 4+ certification. This is the same certification level that RHEL v5 and Trusted Solaris have. If you implement the target profile for a given OS -- and these device vendors usually do -- then you can reference that certification as part of your own certification process. Saves a lot of money since you don't have to certify the OS; that's already been done. The device is just as reliable as military applications because it's the same standards underneath (Common Criteria is a superset of DoD standards).

If even one line of code is changed then the whole thing needs to be resubmitted for testing. No OS vendor does this for weekly updates. Not Microsoft, not Sun, not Oracle, not Red Hat, not SuSE. None of 'em. Your RHEL server installed straight from DVD is EAL 4, but install even one updated RPM and it isn't EAL anything any more. It doesn't matter that the RPM fixes a bug. What matters is that you don't have the assurance that the system as a whole will work as described by the target profile.

This is where hospital IT departments find themselves in a bind. If they do patch then they modify the device outside of what is specified by the vendor which means no warranty support and no legal recourse if it fails. If they don't patch and connect it to foreign networks or peripherals....

So the answer still is "don't connect it".