A great deal of interest has recently arisen concerning multi vendor firewall solutions and the Common Criteria Certification process. For lack of a better way to fully explain my concern, I submit the following example:

Ace Software submits its Super Firewall Software to a lab and obtains an EAL 4 rating for the Super Firewall Software.

Ace Software now forms a partnership with Ben's Hardware Platforms Inc. The resulting appliance uses Ace's Super Firewall Software superimposed on an operating system that supports the firewall as well as additional feat ures that are used by Ben's hardware.

The question: Does this new (Hardware and Software implementation) retain the software's EAL4 rating or does it become questionable because of the addition of both new hardware and software introduced by the partnership?