In message <32F3DA42 .
com> Jim Canfield writes:
> First: How is security rated A1, B3, B2, B1, C2, C1 in the US, other
> similar grading scales in England/Germany and probably countless others
TCSEC (US) = ITSEC (EU)
A1 = E6 / F6 (or F-A1)
B3 = E5 / F5 (or F-B3)
B2 = E4 / F4 (or F-B2)
B1 = E3 / F3 (or F-B1)
C2 = E2 / F2 (or F-C2)
C1 = E1 / F1 (or F-C1)
There is no concept, in TCSEC, for separate assurance and functionality
evaluations. Each rating assumes a combination of functionality and assurance
at a certain level.
The Common Criteria (if they ever happen) will look a lot more like the ITSEC
The TCSEC also does not evaluate *applications* (though it does evaluate the
TCBs of relational database management systems). Thus, there are no TCSEC
evaluations of *firewalls*, because these are applications.
The ITSEC *does* evaluate applications - including firewalls. This is why
CyberGuard was evaluated, as an application, in Europe, while the CyberGuard
platform (Harris "Nighthawk") was all that was evaluated in the U.S.
("NightHawk" also got an E3/F3 rating in Europe). CyberGuard got an "E3"
assurance rating at a UK CLEF.
Then to find out what was the best achievable security rating
> for a product that is usable.
The highest rating any firewall has got is the ITSEC "E3" given to CyberGuard.
Even this is possibly "underkill", for while the MACs provided at the E3 (B1)
level may be used to protect the firewall, E3 does *not* provide a covert
channel analysis, so there may be huge covert channels in a E3 (B1) operating
system or application that can be exploited by a clever malfeasant.
ON the other hand, none of the firewall applications (except Sidewinder) running
on B1/E3 platforms actually use the MACs to reinforce separation between the
networks connected to the firewall. Both CyberGuard and the Norman Firewall
(which runs on Compartmented Mode Workstations with MACs) run at a single level
in the MAC scheme of the operating system. There is no trusted process in these
firewalls that would allow the "inside" to run at a higher classification level
than the "outside", thus using the MACs and TCB effectively to separate the
protected network from the unprotected one. Only Sidewinder does this, using
type enforcement, and even with type enforcement, there is no sense of the
inside being more protected than the outside (though the combination of non-TCB
related firewall configuration - e.g., which proxies are two-way, which are only
outbound ,etc. - and type enforcement can achieve something resembling this).
However, I have heard that Sidewinder is very difficult to configure, unless
they have managed to greatly improve their interface in new release.
Cyberguard, on the other hand, is supposed to be as easy to configure as
Firewall-One, and is more trustworthy.
> The most secure, usable, firewall we have found to date is the
> As mentioned the products are B1 compliant (awaiting certification)....
The OS is already evaluted, and the E3 rating of the firewall application should
be completed any day now.
Manager, Business Development
Secure Systems & Services Operation
WANG FEDERAL, Inc.
7900 Westpark Drive - MS 700
McLean, VA 22102-4299 USA
tel (703)827 3914
fax (703)827 3161
email goertzek @