Great Circle Associates Firewalls
(July 1996)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: NCSA Certification
From: Ian Johnstone-Bryden <ianj-b @ dial . pipex . com>
Date: Mon, 01 Jul 96 19:38:43 GMT
To: Corey "M." Horowitz <CMH @ Interramp . com>
Cc: firewalls @ GreatCircle . COM
In-reply-to: <v02140b00adfd58074dfd @ [38 . 12 . 101 . 212]>
References: Conversation <v02140b00adfd58074dfd @ [38 . 12 . 101 . 212]> with last message <v02140b00adfd58074dfd @ [38 . 12 . 101 . 212]>

> At 08:34 AM 7/1/96, gary flynn wrote:
> >> I think some  important  important questions need to asked:
> >>
> >> 1.  Who appointed the NCSA as the proper body to approve firewalls?
> >>
> >
> >I think your questions are valid but I think the underlying
> >principle is "lead, follow, or get the hell out of the way" :-)
Corey responded in part:
> I think you're all missing the point.  I have no problem with the 
> of the NCSA or any other responsible body acting as a protector of the
> public interest in insuring that all firewall products deliver the 
> promised or, at a minimum, necessary to adequately protect our networks.
> The mission statement is admirable.  The execution is faulty.
I think the real point is that a load of small groups are trying to 
establish themselves as certification authorities on security. There are 
also the national and international initiatives backed by governments.

OK US NCSC may have been too restricted in the past. ITSEC addressed most 
of the major issues, and we are all supposed to be backing Common 
Criteria. None of those schemes are perfect, but one of the reasons for 
that is that vendors and users outside government have been very slow to 
join the party. Thats meant that criteria have been driven by academics 
and government officials and they dont have a really good understanding of 
what drives commercial enterprises.

Rather than sulk off and try to set up many competitive partial schemes, 
it would be more productive to participate in the major schemes which are 
well established and try to improve them. I personally have a few 
reservations about Common Criteria, but it does offer the prospect of a 
true international criteria, its based on ITSEC, which was in turn an 
improvement based on TCSEC, and is well worth actively supporting and 
changing from within.

WRT the nasty commercial issues, no one does anything for free. TCSEC 
certifications cost money,  ITSEC requires the vendor to pay for 
evaluation time at commercial rates, Common Criteria wont be for free. 

The major differences between NCSA certification and say ITSEC are:
1.	NCSA are charging a membership fee which is less than 25% of what 
it would cost for an ITSEC evaluation of a firewall at E2 or E3. If NCSA 
prove to do as good as or better evaluation job then they have commercial 
advantage. Probability though is that their evaluation will be trivial by 
comparison  - if not they are sure to say so on this forum.
2.	ITSEC is open (and has been since 1990) to anyone who wants to 
submit a product and pay for the evaluation. You dont have to be a member 
of the club. Also the criteria is public domain and the evaluators and 
certifiers are not only independent of the vendor, but of eachother - you 
cant get much more equal than that.
3.	National and international legislation will be based on ITSEC and 
CC rather than on trade groups like NCSA.
Ian J-B.

Indexed By Date Previous: RE: NT Backoffice "Catapult" firewall certified?
From: Russ <Russ . Cooper @ RC . Toronto . on . ca>
Next: Re: NCSA Certification
From: gary flynn <gary @ habanero . jmu . edu>
Indexed By Thread Previous: Re: NCSA Certification
From: CMH @ Interramp . com (Corey M. Horowitz)
Next: Re: NCSA Certification
From: Robert Bonomi <bonomi @ delta . eecs . nwu . edu>

Search Internet Search