Firewalls: RE: summary: firewalls and B2

Firewalls
(July 1997)

Indexed By Thread: [Previous] [Next]

Subject:	RE: summary: firewalls and B2
From:	byte . me2 @ juno . com (Byte Me)
Date:	Fri, 25 Jul 1997 08:24:05 -0400
To:	firewalls @ greatcircle . com

The Orange book is just one of the two dozen that make up the Rainbow
Series security books.  It wouldn't mean a thing if someone made the most
secure operating system in the world, if they sent it to you through the
U.S. Mail.  You need to look at the Rainbow Book that deals in "trusted
distribution".  Networking is dealt with in the Red book, etc.

As far as the hardware platform not being mentioned; contact the vendor
or look on NSA's dockmaster system for where you can get a copy of the
"Final Evaluation Report" (FER).  Not only does it state the hardware
platform, but it must specify the exact revision of any programmable or
intelligent chip.  So if the LAN card is no longer available, the company
must test and document all of the changes (even if it is only the date of
when the chip was manufactured) and send it to the evaluation team.  If
it is minor, they can handle these issues in a short term around. 
However, if it is major (such as going from a i486 to a Pentium), they
may have to go through 50% or more of all of the evaluation tests again.

Depending on how close the revisions of a vendors product are, they may
has to go through a complete evaluation, or they may be blessed with
getting into the RAMP program.  NSA was also talking of coming out with a
watered-down evaluation (so Microsoft could get a quick evaluation)
called TTAP, or something similar.  I haven't heard much about it in the
last year, so maybe someone else could clarify its' status.

To look at a FER in detail from a system that successfully passed A1 and
B3 - call Honeywell Federal Systems (now owned by WANG) in Tyson's
Corner.  The FER will give you a better understanding of what it takes to
get past the sometimes-vague, opinion-changeable, out-dated,
still-the-only-thing-that-people-have-followed (Karen G. must excuse my
lack of European evaluation respect here ;^D) guidelines for what makes
up security (primarily for the government).

Regards,
BM2



>snip: original message
I have a listing of the products (OS's & Network Components) that are
rated at A1, B1, B2, B3, C1, & C2, and nowhere does it mention what
hardware the OS, etc was running on. The only thing mentioned in the
"Orange Book" is the way that the OS handles security measures. This
pertains to firewalls also in the fact that firewalls must have
contingincies that provide security between two areas, and can be
documented to do so.

Follow-Ups:

Re: summary: firewalls and B2
From: spencerj @ dg-rtp . dg . com (Jon Spencer)

Indexed By Date	Previous:	RE: Use of Cisco's PIX box From: "Dolgin, David" <David . Dolgin @ unistudios . com>
Indexed By Date	Next:	Security Documents ?? From: Arnaud Ventura <a-ventura @ usa . net>
Indexed By Thread	Previous:	Re: Firewall-1 Limitations... From: Martin Khoo <martin @ nii . ncb . gov . sg>
Indexed By Thread	Next:	Re: summary: firewalls and B2 From: spencerj @ dg-rtp . dg . com (Jon Spencer)