Great Circle Associates Firewalls
(November 1994)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: assurance for firewalls
From: andys @ unipalm . co . uk (Andy Smith)
Date: Tue, 8 Nov 94 11:26:33 GMT
To: Firewalls-digest @ GreatCircle . COM

> Kurt F. Sauer writes:
> > It seems to me, though, that there ought to be some method of determining the
> > risk associated with fielding a firewall, other than just to say that there
> > is a risk of data from a "more sensitive network" flowing to a "less sensi-
> > tive" one.
> 	Yes and no. :)
> 	I'd add the caveat that there's a real temptation to attach
> numbers or matrices that might carry inaccurate assumptions, and which
> can lead to inaccurate conclusions. I'm not slamming anyone here -- I've
> caught myself doing this. You know, you're talking with some sultry-looking
> mink-coat-wearing russian spy in a sleazy bar and she asks how secure your
> firewall is and without thinking, you say, "Oh - probably 90%. I could work
> real hard and maybe get it to 95%"  It sounds good, but what does it *MEAN*?

What we really need is something like Red Book, but for commercial firewalls.

Its OK getting a firewall product ratified to Red Book, but from what I understand
it cannot then be sold commercially. If there was a standard for firewalls, that
required someone like EDS to ratify the firewall product against the standard
we would get the assurance that the firewall was doing its job (on the presumption
its correctly installed!!).

In my books, assurance of something I cannot fully test comes from other peoples
experience or standards. This is one of the reasons that I like the Firewall
toolkit from TIS. Anyone can use it, and many people do, yet there have been no
flames or reported break-ins on a FWTK firewall. Thus one can presume its secure
... until someone proves otherwise.

However if the NSA turned round and said we have had Freds Firewall tested against
Red Book, and it passed, but we have not ratified it. I would be much happier in
relying on the firewall with the knowledge the NSA had checked it and had not
broken it.

Could the IETF, IBM, DEC, EDS, ANS, TIS, etc create a standard??


Andy Smith
Internet Security Specialist
Unit 216, Science Park
Milton Rd, Cambridge
England, CB4 4WA
Tel +44 (0)223 250328
EMail: andys @
 pipex .
 net or andys @
 unipalm .
 co .

Indexed By Date Previous: Re: assurance for firewalls
From: Marcus J Ranum <mjr @ tis . com>
Next: test
From: didomenicn @ bed . ns . doe . ca (Nadia Didomenicantonio)
Indexed By Thread Previous: Re: assurance for firewalls
From: charisse @ SmallWorks . COM (Charisse Castagnoli)
Next: Re: assurance for firewalls
From: "Know what you're doing yet?" <jna @ concorde . com>

Search Internet Search