Great Circle Associates Firewalls
(November 1994)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: assurance for firewalls
From: ks @ netcom . com (Kurt F. Sauer)
Organization: Self
Date: Mon, 7 Nov 1994 13:42:59 -0600 (CST)
To: avolio @ tis . com (Frederick M Avolio)
Cc: charisse @ smallworks . com, firewalls @ greatcircle . com
In-reply-to: <9411071536 . AA25639 @ tis . com> from "Frederick M Avolio" at Nov 7, 94 10:36:00 am

Fred commented on Charisse's response to my original query about firewall
assurance, saying "it seems...that the term 'assurance' is being used in two
different ways here."  And I agree with Fred.

Unfortunately, I can't apply a bunch of science to my comments because I have
not done any assurance studies on software systems.

It seems to me, though, that there ought to be some method of determining the
risk associated with fielding a firewall, other than just to say that there
is a risk of data from a "more sensitive network" flowing to a "less sensi-
tive" one.

>From a system engineering point of view, if one were going to employ a
multi-step firewall, such as:

 +-----------+                +------------+               +------------+
 | Internet/ |                | "Less-     |               | "More-     |
 | Public    |---Firewall_A---| Sensitive" |---Firewall_B--| Sensitive" |
 | Network   |                | Network    |               | Network    |
 +-----------+                +------------+               +------------+

I would intuit that it would be "safer" to employ a heterogeneous mix of
firewalls (Firewall_A & Firewall_B) so that weaknesses in A would not
necessarily be found in B.

In this case, an assurance value would really be something like the cross-
product of the two, except that in failure mode it would be either unity or
the value of the least-secure firewall (depending on the behavior in failure

By the way, should reporting or auditing, such as what Charisse mentioned,
materially affect a level of security assurance?  I would imagine that it
would be useful for verifying assurance, but not for determining a level
of assurance, per se.
Kurt F. Sauer						       Another day.
Milpitas, California                                          Another chance
                                                             to feel healthy.
ViaCrypt PGP key available on key servers

Indexed By Date Previous: Re: finger over proxy?
From: Ken Hardy <ken @ bridge . com>
Next: ping/traceroute over proxy?
From: dmurphy @ cwa . com (Dan Murphy)
Indexed By Thread Previous: Re: assurance for firewalls
From: Frederick M Avolio <avolio @ tis . com>
Next: Re: assurance for firewalls
From: Marcus J Ranum <mjr @ tis . com>

Search Internet Search