At 6:12 PM 2/1/97, Matthew Patton wrote:
>>release of more test results as the X31 crew expands their commercial
>>firewall product evaluations. Gauntlet and Sidewinder just happened to be
>>the first two on the bench. Others are already in the queue.
>But has anybody read them? I just finished the TIS one and I'm VERY
>nonplussed. What's the value added of the X31's efforts? There's no new
>insight, and it was hardly what I'd consider rigorous. Indeed their
>testing basically boiled down to confirming that the firewall obeyed
>protocol conventions. So what? The trade rags do similar testing.
Well then why don't you give Jim Harper a call. He's runs CSC's INFOSEC
lab facility in Hanover, MD. Tell him you weren't happy with the limp
wristed job that was done under the X31 network security products eval
tasking, and you want the full up bed-of-nails protocol on your firewalls
of choice...gate crashing and penetration vulnerability, covert channel
analysis...the whole nine yards. Be aware that they do most of the INFOSEC
T&E's for NSA, and that lab runs hot constantly, so, you'll probably have
to wait a couple of months for a slot.
BTW you might want to have your boss talk to some investment bankers about
a second round public offering because what that job is gonna cost you
exceeds most companies net worth. Otherwise the TPEP catalog would be 80
pages long instead of eight.
>There are an incredible number of TIS sites out there and if the features
>didn't work as advertised we've have known a LONG time ago.
Well, sure lets just forget about this testing business altogether and let
a defacto standard emerge based on the vendor with the largest installed
base. Ok, TIS wins, we'll proclaim Fred Avolio the Bill Gates of
Firewalls, those who survive can call him for a license, and the rest of
you can find another other line of work. :)
>I'll read the sidewinder one next and I'm prepared to be yet again
>disappointed >at the coverage.
It might also be helpful if some folks on this forum understood that the
National Security Agency exists to serve the national intelligence and
information systems security communities, at the pleasure of the Secretary
of Defense, Director of Central Intelligence and the National Security
Advisor. It is NOT in the business of validating or benchmarking the
systems and products of commercial companies, or trying to please their
systems administrators or corporate shareholders.
"The Fort" hasn't taken this kind of beating since the '70's and '80's when
we had a flock of commercial companies trying to build TEMPEST* approved
equipment. It's very interesting to watch this come around again. There
was the same noise over testing, certifications and endorsements then as
there is now. Only, firewalls are the bullwhips of the '90's coming across
The clamoring from the user community is that they all want the "most
secure" firewall. Of course they don't know, can't figure out, or agree on
what "secure" even means now any more than they did back then. And the
vendors don't know what benchmarks to build to. So, just like they did
back in the TEMPEST days, some simply solve that problem by claiming that
their product's trust level holds some relevance to Orange Book, or some
other rating levels established by the security gods. Whether they
actually did or not was just as much an open question then as it is now.
And of course then, as is the case today, the "suits" downtown started
feeling the political heat because the media was making hay about Russian's
pointing pigtail antennas at or bouncing lasers off of windows and
capturing the returns to intercept keystroke emissions or room
conversations. Now the rage is about the hackers pillaging the national
information infrastructure...and it all finally gets to the point were
20755 says, "ok, bring 'em on in here, wire 'em up, lets see what these
things do and we'll publish the results.
Well now something else is wrong...it seems that somebody's whinin' because
the test is not rigorous enough, or the reports are no good, or, the soup's
I'm not hear to defend the NSA, but you could well imagine that some of
those folks over there might be muttering, "screw this...I'm moving to the
beach and be a plumber".
Along comes the NCSA to try and bring some rationale to the process, in
concert with nearly every developer in the business, by establishing a lab
and hacking up some benchmarks . But, now some are saying that's not
credible either because they're takin' money for it. Apparently somewhere
along the line those folks were never told that the development and
marketing of commercial security systems and products was a business.
While still others don't seem to have any problem at all when an industry
rag, owned by a publishing house for godsake, that doesn't know a covert
channel from the English Channel, puts out a review and within an hour the
Madison Avenue machine is in overdrive to tell you who won.
Well, this aformentioned stupidity has brought me to realize that perhaps
indeed Marcus was right...as long as you've got source code who needs X31,
NCSA or Firewalls Home Journal to tell you about your gui frosted filter
stack or app gateway of choice. If you've got the souce, everything is
To you folks up in X31...hang in there...only six more weeks of winter.
Ocean City and Dewey awaits you.
uh...more tea anyone?
Cypress Systems Corporation
P. O. Box 809
Virginia Beach, VA 23451
(757) 425-4195 Voice
(757) 425-4196 FAX
(757) 442-0888 STU-III
I don't give them hell...I just give them the truth, and they think it's hell.
- Harry Truman
ps: Wonder if there is anyone else out there who knows or remembers what
TEMPEST actually stands for? And yes it IS an acronym, and it DOES mean