Firewalls: Re: Gauntlet vs. Sidewinder

Firewalls
(October 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Gauntlet vs. Sidewinder
From:	"K.M. Goertzel" <goertzek @ wangfed . com>
Date:	Fri, 4 Oct 96 13:22:27 -0400
To:	firewalls @ GreatCircle . COM
Reply-to:	"K.M. Goertzel" <goertzek @ wangfed . com>

In message <199610031155 .
 HAA30042 @
 maddie .
 atlantic .
 com> Rick Romkey writes:

> 1) it must support the services that you need
> 2) it must be affordable
> 3) it must be secure
> 4) it has to make sense

It would seem that one of the considerations when selecting between products 
that meet requirement #3 above, that one way of "assuring" that the underlying 
operating system is as secure as the vendor claims it is would be to have an 
*independent* evaluation of the security of that operating system, instead of 
simply relying on the vendor's word that their method of "hardening" the OS - 
either using chroot or type enforcement - actually results in a 
"hacker-resitant" operating system.

It would seem to me that a firewall that runs on an NSA evaluated operating 
system would at least provide that kind of independent "seal of approval".  Of 
course, SCC have had a lot of experience building operating systems that are 
designed to be trustworthy.  But they have yet to receive an NSA or ITSEC 
evaluation of their operating system.  They might argue that such an evaluation 
is unnecessary.  My feeling is that the NSA evaluation in this context is no 
different than a UL or Good Housekeeping seal on a household appliance.  It's 
just one more way of knowing that experts who don't have a vested interest in 
the market success of the product have assured the truth of the product's 
security claims.

For this reason, when considering requirement #3 above, I'd tend to look at a 
CyberGuard running on the B1 *evaluated* Nighthawk operating system. Absent a 
covert channel analysis on *any* of these firewall operating systems - at least 
for now - I'd feel warmer and fuzzier about the OS security claims made on 
behalf of Nighthawk than the claims made on behalf of the Sidewinder OS - at 
least until I've seen the certification and accreditation paperwork that comes 
out of the NSA's MISSI programme that will be using Sidewinder for some of its 
single-level X.400 firewalls.

Now, can someone explain to me why Sidewinder doesn't appear on the NCSA's list 
of "blessed" firewalls - at least it doesn't according to the press release I 
received?

=====

K.M. Goertzel * Manager, Business Development
Secure Systems & Services Operation * WANG FEDERAL, Inc.
tel (703)827 3914 * fax (703)827 3161 * email goertzek @
 wangfed .
 com

"An elephant:  a mouse built to government specifications"
                                         - Robert Heinlein

Indexed By Date	Previous:	Re: ATM Firewalls From: Gerard Hynes - Compusult Limited - Mount Pearl - NF - Canada <ghynes @ compusult . nf . ca>
Indexed By Date	Next:	Re: PIX (CISCO) From: Ryan Mooney <ryan @ pcslink . com>
Indexed By Thread	Previous:	RE: Gauntlet vs. Sidewinder From: "Davidson, Clyde" <CDAVIDSO @ IS . NMH . NMH . ORG>
Indexed By Thread	Next:	Re: Gauntlet vs. Sidewinder From: Richard Stiennon <richards @ netrex . com>