Mark Johnson <mark @
Re: Firewall Security Ratings
> The best place is from the source at
> If they are not on the list then it is highly probable that they
> aren't classified at all.
WHOAH! NCSA(com) is categorically NOT the same organization
as NCSC(mil) though the names are similar. NCSC publishes
the "rainbow series" which is the government's specification for
secure systems (the Trusted Computer Systems Evaluation Criteria
or TCSEC). NCSC is a branch of the National Security Agency(NSA)
and NCSA is a computer security consultancy in Pennsylvania.
The two organizations have very different goals. At the least,
one is trying to make money while the other is spending money
at a mind-bending rate but it's all off a classified budget so none
of us know. :)
Systems that have been evaluated (note "rated" is not the correct
term) are listed on the Evaluated Products List (EPL) which is
published by the NCSC. If you want a copy of the EPL you
should request it from NSA.
That being said: you won't find any firewalls on it. Trusted systems
and firewalls don't mix. For one thing, no vendor has gotten a
firewall system through evaluation -- one vendor got it through the
Common Criteria but that's another story. The TCSEC and the
Common Criteria are completely irrelevant to 99% of the real
world and only really apply to insanely expensive outdated and
unusable government classified systems. That's the other reason
firewall vendors have wisely stayed away from the TCSEC: it's
a huge waste of time and money and like all government programs
it will never die -- it's worse than the strategic helium reserve
because NSA's budget is classified so nobody is able to hold
it up for ridicule.
Some firewall vendors have claimed that their basic platforms
are B-something. The firewall software running on them has
not been evaluated (or it'd be hideously expensive and wouldn't
permit basic functionality like Web traffic because of the threat
of covert channels). Those claims are nice but they really
don't mean a whole lot.
One the topic of NCSA, they are trying to do some rough testing
of firewalls and publishing their results. My opinions on the topic
of firewall testing are best elaborated in:
> > Does anyone know of a URL or other Internet resource where I can verify
> > firewall vendor claims regarding U.S. Government computer security
> > ratings. Specifically, the so-called B1 and B2 classifications issued by
> > the National Computer Security Center?
(BTW, like all LGPs, the TTAP is chock full of BAA, mostly
TLAs and some FLAs. This makes it good reading if you
Marcus J. Ranum, Chief Scientist, V-ONE Corporation
"I'll have time to be laid back when I'm laid out on a slab"