Fox Data Diode

Common Criteria

In short, the Common Criteria (CC) are an internationally agreed technical basis for evaluation and recognition of information technology (IT) security products. These products are evaluated by a competent and independent licensed laboratory against IT security claims made in formal supporting documents. If successful, the result is a certificate issued by one or more Certificate Authorization Schemes, recognised by all national and international Participants.

What countries participate in Common Criteria?

The current CC members are Australia, Austria, Canada, Czech Republic, Denmark, Finland, France, Germany, Greece, Hungary, India, Israel, Italy, Japan, Korea, Malaysia, Netherlands, New Zealand, Norway, Pakistan, Singapore, Spain, Sweden, Turkey, United Kingdom, United States.

Evaluation Assurance Levels

The levels are the numerical rating describing the depth and rigor of an evaluation. Each EAL corresponds to a package of security assurance requirements which covers the complete development of a product, with a given level of strictness. Common Criteria lists seven levels, with EAL 1 being the most basic and EAL 7 being the most stringent.

What does the + in 7+ stand for?

Evaluation Assurance Levels can be “augmented” with requirements from a higher assurance level. In the case of the Fox DataDiode, the EAL 7+ stands for a complete evaluation based on all classes within the Common Criteria.

Security Target

EAL7

The Fox DataDiode has undergone three Common Criteria evaluations. In September 2009 the Common Criteria EAL 4+ under the Dutch Scheme was received. In March 2010 an EAL 4+ certificate was received from the Norwegian Certification Authority for IT Security (SERTIT).

In June 2010 the Dutch EAL 4+ certificate was updated by the Dutch National Certification Body (NL-NCSA) to the highest assurance level possible within Common Criteria: EAL 7+.

All Common Criteria Security Targets can be found at the Common Criteria Portal under Boundary Protection and Other Devices.

• EAL 7+ Dutch Scheme Security Target
• EAL 4+ Dutch Scheme Security Target
• EAL 4+ Norwegian Scheme Security Target
• www.commoncriteriaportal.org

Mutual Recognition

The Common Criteria Recognition Agreement (CCRA) in the field of IT security between its Participants contains an Arrangement stating it is mutually understood that the Participants recognise the certificates which have been authorised by any other certificate authorising Participant. This covers claims of compliance against any of the Common Criteria assurance components required for Evaluation Assurance Levels 1 through 4. Evaluations up to EAL 7 have an additional European agreement under SOGIS MRA for the following European countries: Finland, France, Germany, Greece, Italy, the Netherlands, Noway, Spain, Sweden, Switzerland and the UK.

In other words, the Fox DataDiode with EAL 7+, is recognized by (almost) all European nations up to and including Common Criteria EAL 7.

National and EU Approval

Indepently from any other certification or approval, both the governments of the Netherlands and Germany have evaluated the hardware data diode that is part of the Fox DataDiode. Both countries have approved the product to protect their government networks up to and including Secret (nationally denoted as Stg Geheim and Geheim respectively). This means that the Fox DataDiode can be deployed in these EU member states, even to connect a state secret network to the Internet. 

Unfortunately, the EU certification/approval schemes do not apply to non-cryptographic products, otherwise the hardware data diode would have 'automatically' been approved for use up to and including EU Secret. It is however likely that this will change in the near future and that the Fox DataDiode will also have a hardware data diode that is certified up to and including EU Secret (based on Common Criteria).

CESG (UK)

Based under the Common Criteria SOGIS Mutual Recognition Agreement the Fox DataDiode is 'automatically' accepted within the UK. Since the Data Diode is not a crypto product it does not have to undergo a CAPS certification process. 

More information on the Mutual Recognition by the CESG can be found at:

• Mutual Recognition by the CESG
• Common Criteria/ITSEC equivalence

"The CESG Certification Body confirms that, under the SOGIS revised agreement effective 15 January 2009, it recognises certificates issued by the Netherlands CB (NSCIB) up to and including CC EAL7 and ITSEC E6" - CESG, May, 2010.

NERC-CIP Compliance

The North American Electric Reliability Corporation (NERC) develops and enforces reliability standards. The NERC Critical Infrastructure Protection (CIP) standards provide a security framework for the protection of Critical Infrastructures. The Fox DataDiode addresses CIP compliance and provides an Electronic Security Perimeter (ESP) according to the overall NERC-CIP framework.

NATO

The Fox DataDiode is approved for use up to and including NATO SECRET (NS). The diode is used under the NATO Evaluation Scheme GREEN which states that it had a full NATO evaluation with evaluation documentation set available, and NIACG certification. Furthermore, it is listed in the NATO Information Assurance Product Catalogue (NIAPC):

• NATO Information Assurance Product Catalogue

This approval is based on the Amber scheme. The Fox DataDiode is allowed to be used within all NATO countries and able to connect any network up to and including NATO SECRET.

Fox-IT have signed a Basic Order Agreement (BOA) with the NATO C3 Agency. The NC3A BOA is a reliable instrument for procurement of NATO approved products for NATO Members. The NC3A acts on behalf of the NATO in accordance to NATO guidelines and procedures.

• NC3A BOA with Fox-IT

The NATO stock number of the Fox DataDiode is: 7025-17-129-2687

Fox-IT has been included in the NATO Master Catalogue of References for Logistics (NMCRL) and assigned with the NATO Commercial and Government Entity Code (NCAGE):

• H1T25