Your company designs and develops firewalls. Which of the following is the most significant characteristic that can contribute to the highest level of assurance if a firewall is evaluated in terms of the Common Criteria?
A. The product is designed based on a finite state machine
B. The product functions effectively as described in the product manual
C. The product is developed based on a high-cohesion, low-coupling architecture
D. The product is tested and checked with the support of the product engineering team
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. The product is designed based on a finite state machine.
- EAL 6/7: The product is designed based on a finite state machine
- EAL 4/5/6: The product is developed based on a high-cohesion, low-coupling architecture
- EAL 3: The product is tested and checked with the support of the product engineering team
- EAL 1: The product functions effectively as described in the product manual
The finite state machine is a “formal model” upon which a design or architecture can be developed. If a product is developed based on a formal model, the design is eligible to be formally verified.
A high-cohesion, low-coupling architecture is good, but it may not be one designed based on a formal model. It can be designed methodically or semiformally. The semiformal design may be verified.
If the product (TOE) is functionally tested, it functions effectively, as described in the product manual. EAL 1 doesn’t require the vendor engineering team to collaborate with the CC laboratory.
- Common Criteria – Evaluation Assurance Level
- Common Criteria: PP, ST, and TOE
- CISSP PRACTICE QUESTIONS – 20200517
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.