Underwriters Laboratories (UL) recently announced UL 2825, which is a framework for certifying resiliency in network products used in LANs and data centers. When announcing the framework, UL noted it is a response to legislation already enacted in one state, pending in others, and potentially set for consideration on a federal level.
UL 2825 covers servers, routers, firewalls, universal threat management devices, intrusion prevention systems and converged network server equipment.
The organization explained, "New IT security legislation introduced in the state of Texas enacted an IT infrastructure resiliency law in 2010 designed to hold IT device manufacturers accountable for product claims through an independent and thorough validation certification process. Pending legislation in several other states, as well as possible attention at the U.S. federal government level, will require independent resiliency certification of network and security products."
UL 2825 provides requirements under which "network infrastructure devices are evaluated against published vulnerabilities that affect a particular device," UL says. "The device is expected to continue to operate as intended while subjected to exploits of published vulnerabilities." The testing lab has said it has chosen BreakingPoint cyber tomography machines (CTMs) to use when testing to UL 2825. "We felt that BreakingPoint provided the product, solutions and security experience to best meet our needs," said UL's commercial director of operations for life safety and security industries Bob Jamieson.
When announcing the framework, UL also described what it will take for a device to achieve certification. Specifically, a device will be subjected to the following.
- Internet-scale network conditions including high-stress user load
- Real-world application traffic
- Live security attacks, updated monthly.
Measurements of the device-under-test's resiliency will be taken and compared to the manufacturer's published metrics. For devices that meet appropriate requirements, UL will publicize certification results. "This system of evaluation is ideal for equipment manufacturers to certify the resiliency of all products, as well as each time that product undergoes an update," UL said.