In message <199702201524 .
com> "Fir E. Walls" writes:
> For all these firewall products being offered by vendors, what proof if any,
> to the customer, does does the vendor provide to guarantee correct bounds
> checking has been done in their source code so the stack cannot
> be mangled by buffer overflows (and hence compromised)?
None of them do this in an independently verifiable way, beyond what NCSA and
the various magazines test for. I would be interested in how much of that is
intensive penetration testing, and how much is simply functionality testing
(i.e., works as documented).
You will probably be safer with one of the few firewalls to run on a platform
that uses some kind of mandatory access control to isolate the firewall from its
executable images and configuration files. This leaves you with two choices:
Sidewinder (which uses its own operating system's type enforcement mechanisms
that have no independent verification of assurance, but which has received good
security kudos in general firewall tests by magazines and NCSA).
Cyberguard, which runs on the NSA evaluated (B1) Harris CX/SX operating system
on the Harris Nighthawk computer, and also on SCO CMW (B1 evaluated).
Cyberguard uses the mandatory security policy of the OS to isolate its
executables and configuration files at a different non-write-accessible security
level from the executing firewall. It does not, however, do what Sidewinder
does, and set the different network interfaces at different security levels -
the firewall is essentially a "blob" at a single level that is able to read but
not write to its config files and executable images.
We have been considering putting a firewall on our B3 platform. On our platform
- unique in the industry - we have a mandatory *integrity* policy that protects
files from being modified while allowing them to be read by processes that need
to read them. However, we are more likely to avoid the "me too" syndrome of
coming out with just another firewall, by developing a truly trusted firewall
that uses all aspects of our system's mandatory security and integrity policies,
along with a trusted re-grader, to assuredly isolate the "inside" from the
"outside" of the firewall. Such a firewall - really more of an Internet Guard -
would prevent traffic from passing from one side to the other except via a
carefully controlled trusted process. The B3-evaluated operating system would
not only pretect the firewall from illicit penetration, but would prevent
hackers from penetrating around the firewall through the operating system.
Manager, Business Development
Secure Systems & Services Operation
WANG I-NET Government Services
7900 Westpark Drive - MS 700
McLean, VA 22102-4299 USA
tel (703)827 3914
fax (703)827 3161
email goertzek @