Firewalls: proving secure

Firewalls
(July 1995)

Indexed By Thread: [Previous] [Next]

Subject:	proving secure
From:	Marcus J Ranum <mjr @ iwi . com>
Organization:	Information Works! Inc, Baltimore, MD
Date:	Tue, 25 Jul 1995 13:15:05 -0400 (EDT)
To:	wyer @ telecheck . com
Cc:	firewalls @ greatcircle . com
Coredump:	Infocalypse Now!!!
Phone:	410-889-8569
Reply-to:	mjr @ iwi . com
Url:	<A HREF="http://iwi.com/mjr/mjr-top.htm">mjr's web page</A>

Brett Wyer write:
>I think that the work has already been done as far as proving that NT is 
>secure.  Correct me if I'm wrong, but hasn't it been C2 certified?  Please 

	NT has only been "marketed secure" not "proven secure" :)

	This is such a common misapprehension I should probably
add this spiel to the FAQ:

	"Designed to meet C2" is not the same as "evaluated at C2" and
many vendors have been marketing their systems as being "designed to meet
C2 requirements." When someone says their product is C2 it's important
to inquire further. It may be simply that the product is "in evaluation"
or "we are thinking about someday getting it evaluated" or even "we are
just telling people we are thinking about getting it evaluated."

	I think Microsoft has actually got NT under evaluation and
I'm not sure of its status at this point (I'm sure someone will amplify)
but Microsoft at least earns a tip of the hat for effort in this area.

	However - you need to realize that the Orange Book and C2 and
all that stuff doesn't *PROVE* anything. C2 is a laundry list of
features, and, in fact, they're really basic ones that don't mean a
lot about its security. C2 includes things like - well - that you need
to be able to optionally require a password to log in, or that you
need to be able to protect files from different users, etc, etc. Very
very very basic stuff. C2 also doesn't say anything about testing. To
get a C2 system there's not really any penetration testing or any
real requirement that holes in the system that are identified be fixed.
C2 security is, frankly, underwhelming. It's better than DOS, but you
have to remember it's just a laundry list of functions some of which
may not be enabled by default, and which can be misused or not used.

	Don't be impressed by a C2 system.

	Lastly, you have to realize that a firewall embodies multiple
protective relationships. First off, the firewall has to protect itself
against attack (where C2, B2, B1, etc may help) it also has to protect
the networks on either side of it from eachother. The box could be very
secure against direct attacks launched on it, but could leak like a
sieve when it comes to protecting the networks behind it.

	It's amazing to me the power of marketing to stretch people's
minds. No offense, but somehow you've managed to convert a bunch of
marketing noise about functionality of systems into "...has been
proven secure."  That's a very dangerous confusion and that's EXACTLY
what the marketeers want. It's unfortunate, since it works so well,
but it's wrong.

mjr.

Indexed By Date	Previous:	Re: Review: "Safely Connecting to the Internet" Internetwork 7/95 From: "Bill Duncan (459)" <Bill @ travsoft . com>
Indexed By Date	Next:	Filtering E-Mail etc. From: padgett @ tccslr . dnet . mmc . com (A. Padgett Peterson, P.E. Information Security)
Indexed By Thread	Previous:	Re: Secure-ID & NTP vulerabilities From: "Thomas V. Myers" <tvmyers @ icdc . delcoelect . com>
Indexed By Thread	Next:	RE: proving secure From: "william.wells" <william . wells @ damark . com>