Having firmly inserted my lower appendage into a certain orifice, let's
see how good it tastes when I masticate...
BeachCruiser, pelicans @
com recently wrote:
>It (the NSA) is NOT in the business of validating or benchmarking the
>systems and products of commercial companies, or trying to please their
>systems administrators or corporate shareholders.
I understand. So can somebody then explain why I hear repeatedly that
"we choose this product cause NSA blessed it" or that the rags make such
a big deal out of it? It really grates on my nerves when I hear such
lines as the sole justification from those who've never admined a box in
their life or don't understand the variables involved. Maybe we're all
guilty of saddling NSA with stuff it isn't equipped to deal with (not
necessarily technically but financially or time wise).
>The clamoring from the user community is that they all want the "most
>secure" firewall. Of course they don't know, can't figure out, or agree on
>what "secure" even means now any more than they did back then. And the
>vendors don't know what benchmarks to build to. So, just like they did
>back in the TEMPEST days, some simply solve that problem by claiming that
>their product's trust level holds some relevance to Orange Book, or some
>other rating levels established by the security gods. Whether they
>actually did or not was just as much an open question then as it is now.
So which one of us is going to raise our hand and yell "reality check!!
Will the produce manager come to register 3 to render assistance?"
>Well, sure lets just forget about this testing business altogether and let
>a defacto standard emerge based on the vendor with the largest installed
No I didn't mean to imply any of the kind. My thrust was that given the
delay involved in the release of their report, if there had been
problems, the market would have found out long before that. Either
through the rags doing their varying degrees of 'testing' or in
customers' use of the product. TIS was mentioned simply because that was
the report case in question. It could have easily been Raptor, or FW1.
>Well now something else is wrong...it seems that somebody's whinin' because
>the test is not rigorous enough, or the reports are no good, or, the soup's
Come to think of it, Turkey and vegetable soup is not very tasty served
Ok, maybe I'm whining and perhaps the NSA did the reviews just to get
"us" off their backs. The "beef" in my case is, if they were going to
conduct the tests, let's see something a little more than the ordinary,
something you CAN'T get from the private sector, something to make joe
admin faint in awe at the mighty power and insight of the NSA (no, I'm
not being sarcastic... well ok, just a little), something to justify
their invenstment in both time and money (at taxpayer expense no less).
Essentially, the value added. That or stand up and say "Screw you,
we're not in this business to eval firewalls," and let the media and
public know it. Did they do a poor or incomplete job on the stuff they
DID test? No.
Just went and reread the NCSA certification rules and they're not half
bad. Perhaps I should look into this a little more. Personally I don't
mind that NCSA charges for their services. I can understand it costs a
pretty penny to provide the facilities and the time and people to conduct
the tests even if they might be simple. In any event we and the industry
need a watchdog of some sort to establish a baseline. Mabye NCSA is the
best forum for the time being. I'm not so sure I'd be willing to let the
rags be our conscience. Could the NCSA rating be improved qualitatively
with a wider collection of tools? The NID or SPI products perhaps?
Running challenge sites (a SCC favorite) for each product? With periodic
reports on how they handled new attacks?
The problem with the firewalls issue is that it's only part of the
problem. There are a further million and one variables/cases in securing
the wholistic network, which is what we're driving toward. The case of
little applets slipping through the FW into a client which can then do
all kinds of mischief really isn't a firewall issue per say. Or an
inexperienced web server setup letting someone waltz right on thru to the
>While still others don't seem to have any problem at all when an industry
>rag, owned by a publishing house for godsake, that doesn't know a covert
>channel from the English Channel, puts out a review and within an hour the
>Madison Avenue machine is in overdrive to tell you who won.
these guys really get to me too. A couple pointers at Network World's
review is in order I think.
>If you've got the souce, everything is
to those who can understand it. Can any one person understand it?
Probably not. But given how many good minds there are I think a pretty
good effort can be made.
I like your humor. Something I need to work on...Maybe I should get in
touch with my "inner child." An associate worked for NSA for 10+ years,
if anything I ought to be singing it's praises.
>uh...more tea anyone?
Thanks, just make it a sweet tea with lemon.
PS. Tempest = storm, maelstrom, serious atmospheric disturbance. But I'm
sure that definition was NOT the one you wanted.