Firewall Wizards mailing list archives
Re: Firewalls - ITSEC Rating?
From: Tim.Wundke () camtech com au
Date: Fri, 4 Feb 2000 16:48:16 +1030 (CST)
On 3 Feb, Marcus J. Ranum wrote:
The ITSEC evaluation says that the product met the requirements documented in its "Security Target" document.Right, if I understand correctly, it's a lot like those ISO9000 deals - you're evaluated on whether or not you actually do what you claim to do. And, since everyone's claims can be subtly different, in the end the evaluation is useless because a user of the evaluated product has to re-evaluate the product to see if the claims make sense for their purpose.
Yep. If the product is not used under the same conditions that it was evaluated under (ie. exact same version/revision, sometimes on particular hardware, possibly with any number of other restrictions), the evaluation essentially means nothing. So a user must determine whether these restrictions make sense for them. The biggest problem I see in things like firewalls (and other fast-ish paced software/hardware) is that every version/revision must be evaluated, which means big expenditure on the part of the developer to maintain a rating.
I once thought about trying to get a 10baseT hub ITSEC evaluated as a firewall (albeit a very permissive one) but the mountains of paperwork and the huge amount of time and money necessary are daunting.
E1 and E2 aren't too bad, although to my mind the ratings mean little anyway. E3 and E4 start getting prohibitive, unless you're following pretty rigorous design/documentation procedures anyway. E5 and E6 are just plain horrendous!
I'm sure that many on this list will be shocked to hear me say this, but the ICSA firewall product certification is orders of magnitude more valuable to real customers than ITSEC evaluation.
So far as I can tell, ITSEC and Common Criteria ratings are mainly used
by governments when buying products (I believe an ITSEC rating is
mandatory in Australia for some purchases). They can be of some use to
commercial companies, but the restrictions placed on the "secure" use
of them may be prohibitive.
Tim.
What's the difference between roast beef and pea soup?
Anyone can roast beef.
These are, of course, my opinions only.
Current thread:
- Firewalls - ITSEC Rating? Craig Martin (Feb 01)
- Re: Firewalls - ITSEC Rating? Rick Smith (Feb 02)
- Re: Firewalls - ITSEC Rating? Marcus J. Ranum (Feb 03)
- Re: Firewalls - ITSEC Rating? Rick Smith (Feb 04)
- Re: Firewalls - ITSEC Rating? John Alsop (Feb 06)
- Re: Firewalls - ITSEC Rating? Tim . Wundke (Feb 04)
- Re: Firewalls - ITSEC Rating? Marcus J. Ranum (Feb 03)
- Re: Firewalls - ITSEC Rating? Rick Smith (Feb 02)
- Re: Firewalls - ITSEC Rating? Christopher Nicholls (Feb 03)
- <Possible follow-ups>
- Re: Firewalls - ITSEC Rating? Matthew Pemble (Feb 03)
- Re: Firewalls - ITSEC Rating? Paul Emerson (Feb 04)
- RE: Firewalls - ITSEC Rating? Michael . Owen (Feb 14)
- Re: Firewalls - ITSEC Rating? Paul Emerson (Feb 04)
- RE: Firewalls - ITSEC Rating? Lemon, Henry L. (Feb 04)
- Re: Firewalls - ITSEC Rating? Predrag Zivic (Feb 06)
- Re: Firewalls - ITSEC Rating? ark (Feb 07)
- Re: Firewalls - ITSEC Rating? Rick Smith (Feb 10)