My mailer believes Jim truitt said (in response to Marcus Rathum):
>Date: Sun, 29 Dec 1996 00:36:11 -0500
>From: Jim Truitt <jtruitt @
pagesz .
net>
>Subject: Re: Firewall Rating NCSA != NCSC
>
>[snip]
>>Some firewall vendors have claimed that their basic platforms
>>are B-something. The firewall software running on them has
>>not been evaluated (or it'd be hideously expensive and wouldn't
>>permit basic functionality like Web traffic because of the threat
>>of covert channels). Those claims are nice but they really
>>don't mean a whole lot.
>
> I would disagree. Given the choice of hosting the same set of
>firewall apps on rated vs a non-rated platform, I would go with the rated
>platform. In general the OS on the firewall platform should be a "hardened" OS.
But to get the rating (depending on the rating) this probably requires the
vendor freeze their code. (For a lenghty code eval).
And some of the requirements too restrictive thus providing for easy denial
of service attacks. ie after 3 login failures an users account is supposed
to be locked
until the administrator can verify that these are legit login failures.
This provides for a easy denial of service attack.
Is that what you want you firewall to do? I don't but it depends on what the
companies policies say.
Also there are many ratings what level do you belive is desirable (c1 ... haha?)
The above feature plus the ability to log is about all you need for an OS to
get a
c2 rating (pay the money and wait). This doesn't require any hardening.
It is the rating the M$ got for NT the OS not the NOS.
No buying a system with a "evaluated rating ie via rainbow series means you
pay for an evaluation that you may not be benifiting from.
Donald J Smith Network Security Engineer @CDInt
design in security @ the beginning &
ease_of_use != A*(1/Data_Security) for any A
(my opinions are mine and so are the spelling errors ;-)
|
|
