Re: Firewall certification

[Rick Smith <rick_smith () securecomputing com>]

At 11:45 AM 7/23/99 +0100, kris.van.opstaele () be arthurandersen com wrote:

> On their website, you can find their "Product Certification Criteria"
(version
> 3.0, currently).  Did anybody check
> out these criteria in detail, or their certification process as a whole ?

I haven't looked at it recently, but in the past their certification
essentially shows that the firewall is capable of blocking traffic on
command. They don't do detailed vulnerability analyses, but then they cost
that much (somewhere between $10K and $30K if I remember correctly)

> Furthermore, are there other similar initiatives (such as ITSEC, Common
> Criteria) to certify popular firewall products ?

NIST has published two draft Common Criteria Protection Profiles for
firewalls, and various folks in the government are talking about developing
a couple more for higher security boundary protection.

At the present there are several firewalls that have completed ITSEC
evaluation in the UK. I've only found one firewall that's completed a
Common Criteria evaluation and I don't know if it followed a particular
protection profile or not. There are international treaties declaring that
participating governments (US, UK, Germany, Netherlands, I think) will
recognize each others' Common Criteria evaluations. This doesn't
automatically extend to TCSEC or ITSEC evaluations, though.

Common Criteria evaluation is at least an order of magnitude more expensive
then ICSA firewall certification.

Rick.