[This is no longer particularly related to NCSA, so it
should not be taken as criticism or praise for their business.]
I'm very cynical about the whole notion of firewall
certification, as many of you have noted. Mostly, it's because
it's nearly impossible to find an unbiassed source. For example,
the federal government's various agencies have several times
tried to publish firewall recommendations but whenever they
do, they get slammed and threatened with lawsuits by the
vendors that feel they are slighted. There are probably all
kinds of goofy procurement rules that further tie the hands
of government agencies, with respect to making comments.
NSA, for example, has spent a lot of effort looking
at firewalls. I know this for a fact, and I'm doubly frustrated
by the fact that they don't say much. On one hand, it's about
unclassified stuff, and WE PAID FOR IT - but - I suspect
that the hassle they'd get from the vendors simply isn't
worth it. I was involved in one case where NSA looked at
a firewall that I built, but I was never formally told the
results because they were CLASSIFIED. Hell, don't tell the
author!
NCSA's situation is different: they have customers
who are paying them for a service. As with any service
providing business, there's a transfer of power of position
along with the transfer of money. I believe that with
firewalls, NCSA's stated plan was to start with fairly
basic tests that verified a reasonably simple baseline,
and then to "raise the bar" over time. They certainly
could not set the bar too high right away or they'd
scare their customers (the vendors) off. I can accept
that some of what NCSA's doing has value, by interpreting
it as an extended marketing effort by the vendors, with
NCSA as a mouthpiece that makes sure the claims aren't
too egregious. That's a *START*. A tiny one.
To do product reviews, I believe the only people
who are qualified are the ones who are beholden to none,
and who have a history (in theory) of resisting censorship.
By that, I mean The Fourth Estate. Unfortunately, from the
quality of a few of the firewall evaluations, it is clear
that not all members of the press take their responsibility
very seriously: I've seen firewall "reviews" that crib
marketing copy verbatim.
I continue to advocate that people EDUCATE
THEMSELVES rather than take someone else's opinion in
someone else's evaluation. It is foolishness to think
of a firewall as an isolated "black box" that you can
somehow test in a clean lab, then plug into your WAN
and get security. Security is not about "black boxes"
it is a PROCESS that requires UNDERSTANDING and
COMMITMENT from management. Many of you (including
the guys at NCSA who I've discussed this with!)
sense a great deal of ambivalence on my part about
their efforts. In one sense I think it is a step
forward; in another I think it's a step backward.
On one hand we may see some sanity in marketing
claims, and on the other, we may see people abrogate
their responsibility to THINK about what they are
doing when they see a sticker on a firewall.
Obviously, they are going to continue to move
forward with their project - let's watch and see
what happens. The best thing we can contribute is
healthy, productive skepticism, and our support* if
it looks like they're playing honestly.
mjr.
(* Oddly enough, I've contributed some effort pro
bono to the NCSA project. They've adopted my firewall
functional summaries format. I think that's a good
thing, but time will tell!)
--
Chief Scientist, V-ONE Corporation -- "Security for a connected world"
work http://www.v-one.com
personal http://www.clark.net/pub/mjr/mjr-top.html
Follow-Ups:
|
|
