VMworld
Up to Discussions in rPath Expert Session

This Question is Possibly Answered

1 "correct" answer available (4 pts) 2 "helpful" answers available (2 pts)
9 Replies Last post: Mar 31, 2008 12:55 PM by martywesley  
Click to view Marcus Vollmer's profile Apprentice
Marcus Vollmer
28 posts since
Mar 18, 2008

Mar 20, 2008 12:59 PM

Finance and Government sectors?

Billy,

My direct interest is in the financial sector. Does rPath offer a FIPS certified version of rPath? Does rPath have any plans / timeline for FIPS certification and will rPath offer services to help ISVs obtain FIPS certification for their rPath based solutions?

While your solution is great for ISV, we have spent some time looking at it and it would appear to alienate ISVs from doing business in some sectors. The level of control over forced updates is in the hands of the ISV, not the end customer. So for banking customers, rPath Linux based solutions would not be considered. I understand this can be offered by plug-in. But that plug-in can still be overridden by the ISV. There is no guarantee to the end customer that a change in business, acquisition of the ISV would not result in the loss of control over part of their network.

This is built into rPath rAA by design, can you comment on this ? Is this why rPath is focused on SMB ?

Thanks

Marcus
Click to view billymarshall's profile Apprentice
billymarshall
15 posts since
Sep 10, 2007
1. Mar 20, 2008 1:29 PM in response to: Marcus Vollmer
Re: Finance and Government sectors?

Marcus,

FIPS is not an issue. I spent 4 years running Red Hat's North America sales operations. My two largest customer segments were Wall Street financial services firms and the Federal government. I can assure you that FIPS is not a gating factor in rPath adoption by these segments. There are several hundred implementations of our appliances already in place across these sectors.

Regarding maintenance, it is not "automatic" as you suggest. It is user defined regarding schedule and application. I am not certain where you got the idea that the user had no control over the schedule of the application of maintenance? The vendor defines the patches (as with the legacy model). The only difference is that the patches are actually tested by the vendor in the exact configuration in which they will be deployed. In the legacy model, the customer is responsible for this testing because each customer implementation is custom or unique. A massive headache for the customer and the ISV.

Billy

Click to view Marcus Vollmer's profile Apprentice
Marcus Vollmer
28 posts since
Mar 18, 2008
2. Mar 20, 2008 1:36 PM in response to: billymarshall
Re: Finance and Government sectors?
Billy,

I would have to disagree, most of our financial and government / military customers require FIPS. I take it from your answer that rPath is not FIPS certified and there are no plans for FIPS certification?

I was not referring to maintenance but to "upgrades". Your SE explained that "upgrades" whether they are automatic or manual, is determined by the ISV not the end user customer. The SE said it was the entire basis for the design (less headache). He did say that the ISV could grant permission to the customer to review the upgrades first and do them manually, but that this "permission" could be revoked at any time. Are you saying that your SE is wrong and that an end-user customer can stop the upgrade process even if that is in conflict to how the ISV wants it?

Thanks

Marcus
Click to view billymarshall's profile Apprentice
billymarshall
15 posts since
Sep 10, 2007
3. Mar 20, 2008 1:40 PM in response to: Marcus Vollmer
Re: Finance and Government sectors?

Marcus,

FIPS certification is based upon the specifics of the application, and it is easily obtained. I am not concerned about FIPS certification.

Regarding maintenance, please re-read my post. The vendor determines the patch, as with the legacy model. The customer determines the timing of the patch, as with the legacy model. If the patch is not applied, support can be degraded, as with the legacy model. The difference is the patch is actually tested by the vendor before being deployed by the customer.

Billy

Click to view Marcus Vollmer's profile Apprentice
Marcus Vollmer
28 posts since
Mar 18, 2008
4. Mar 20, 2008 1:45 PM in response to: billymarshall
Re: Finance and Government sectors?
Billy,

You may not be concerned with FIPS certification but as a potential customer who has a lot of customers who require FIPS certification I certainly am. FIPS certification requires a good deal of work, the fact that you seem to think it is easily obtained shows you are not as familiar with it. If FIPS certification was easy to obtain vendors would keep FIPS certification in-line with the regular release of their products.

Your response suggests you have no plans for FIPS, that is unfortunate, as without rPath Linux being certified, your customers will have to get rPath Linux certified in order to get their application certified as it sits on top of rPath Linux.

I read your post, I am asking you now if your SE is wrong? Can you please confirm that the customer can indeed prevent the patch from being applied even if the ISV has mandated all patches be applied? Your SE was very convincing when he said the system was designed to force upgrades to reduce headaches for the ISV.

Thanks
Click to view Christoph Wegener's profile Candidate
Christoph Wegener
1 posts since
Mar 20, 2008
5. Mar 20, 2008 2:52 PM in response to: Marcus Vollmer
Re: Finance and Government sectors?

Hello Billy, Hello Marcus,

I want to chime in quickly into this very interesting discussion.

I am assuming you are talking about FIPS 140-2 compliance here? Is that correct? If this is the case, it would be required to know where exactly in the rPath appliance a cryptographic module is used. I would guess that rPath uses the OpenSSL library at least. And OpenSSL is available as a FIPS 140-2 validated module. The question of using this OpenSSL module is discussed in section 5.5 of the document:

http://www.openssl.org/docs/fips/UserGuide-1.1.1.pdf

Christoph

Click to view billymarshall's profile Apprentice
billymarshall
15 posts since
Sep 10, 2007
6. Mar 21, 2008 10:57 AM in response to: Christoph Wegener
Re: Finance and Government sectors?

Christoph,

Thanks for the post. rBuilder actually reports out the crytographic libraries included in any given virtual appliance. Maintaining a manifest of licenses and cryptographic libraries is actually part of our value proposition. It not only helps with things like FIPS, but it also helps with export control. Knowing what you ship is important, but it is funny how many appliance companies we come across that cannot confirm their compliance with licenses or export controls.

Billy

Click to view martywesley's profile Apprentice
martywesley
8 posts since
Sep 10, 2007
7. Mar 21, 2008 11:25 AM in response to: Marcus Vollmer
Re: Finance and Government sectors?

Marcus,

You mention in another post on this site that you "...currently have a cut down version of Fedora we use as a base for our
vmware images and can control with traditional SCM methods such as CVS
and subversion."

Can you post information on Fedora's FIPS certification?

Click to view Marcus Vollmer's profile Apprentice
Marcus Vollmer
28 posts since
Mar 18, 2008
8. Mar 25, 2008 5:28 AM in response to: martywesley
Re: Finance and Government sectors?
Marty,

Sure. We actually use Red Hat Enterprise Linux for government / financial customers. We use RHEL because our customers that require FIPS also require Common Criteria certification:

http://www.redhat.com/solutions/government/commoncriteria/

Which obviously you do not get with Fedora Core.

I could not find rPath's common criteria certification anywhere??

Thanks
Click to view martywesley's profile Apprentice
martywesley
8 posts since
Sep 10, 2007
9. Mar 31, 2008 12:55 PM in response to: Marcus Vollmer
Re: Finance and Government sectors?
RHEL is too expensive for some solutions. I was hoping that the free Fedora version would have FIPS certification. I guess the price of RHEL is all those certifications.

Actions

More Like This