Firewalls: Re: TRUST US

Firewalls
(April 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Re: TRUST US
From:	rmck @ sandfiddler . paragon-systems . com (Bob McKisson)
Date:	Thu, 27 Apr 1995 11:54:41 -0400
To:	mjr @ tis . com
Cc:	firewalls @ greatcircle . com

Marcusez...
 
> It's interesting that I'm the only representative from a firewall
> vendor that has touched the discussion. :) You'd think that people
> would be *impressed* by the fact that our source code has been
> published and reviewed by all the experts and hackers out there,
> including our competition.  You'd think people would be *impressed* by
> the fact that we have published our design criteria and how/why we do
> what we do. Ask the other guys what goes on inside their black boxes
> and they'll tell you "trust us."

Huummmmmm...well yes Marcus...some I suppose are impressed.  And your
forthrightness and that of TIS is indeed noble.  However, National
security and the information asset protection needs of corporate
America nothwithstanding, we live in a dollars and cents world.  To
suggest that publishers of commercially developed security software
products should lift their skirts so that whodahellknowswho can
have a peak, austensibly for the purpose of bestowing some *ad hoc*
good housekeepin seal of approval, is just not the way the business
world sees things.  And rightly or wrongly...that's the world we
operate in, and the that counts.

Now...if you would like to volunteer to do what NIST, NSA, DISA and
other information security policy wonking organizations, promulgators,
implementers, and a number of associations have given lip service to,
and chair the establishment of a standing committee to come up with a
draft criteria and standards for evaluation and performance testing for
COTS firewall products, that then can be used as a guidepost for
industry and particularly the user community, and lord knows we need
one, then there just may be some incentive for the vendors to
cooperate.

If you choose to bite that one off, you can count on me to jump in with
both feet to help you digest it.  But baring that, my guess is that
until some common sense comes into firewall benchmark discussion,
you'll just have to be content in continuing to lable most of the other
vendors who have rightly decided that their source code is not available
for examination by whodahellknows, and by whose specmarks, as security
by obscurity.

rmck

Follow-Ups:

Re: TRUST US
From: ericm @ lne . com (Eric Murray)

Indexed By Date	Previous:	CERT Advisories From: laurent @ Grafnetix . Qc . CA (Laurent Duperval)
Indexed By Date	Next:	Re- No NFS on firewalls ? From: jdb @ ecofin . ch (John B*hrer)
Indexed By Thread	Previous:	CERT Advisories From: laurent @ Grafnetix . Qc . CA (Laurent Duperval)
Indexed By Thread	Next:	Re: TRUST US From: ericm @ lne . com (Eric Murray)