> Kurt F. Sauer writes:
> > It seems to me, though, that there ought to be some method of determining the
> > risk associated with fielding a firewall, other than just to say that there
> > is a risk of data from a "more sensitive network" flowing to a "less sensi-
> > tive" one.
> Yes and no. :)
> I'd add the caveat that there's a real temptation to attach
> numbers or matrices that might carry inaccurate assumptions, and which
> can lead to inaccurate conclusions. I'm not slamming anyone here -- I've
> caught myself doing this. You know, you're talking with some sultry-looking
> mink-coat-wearing russian spy in a sleazy bar and she asks how secure your
> firewall is and without thinking, you say, "Oh - probably 90%. I could work
> real hard and maybe get it to 95%" It sounds good, but what does it *MEAN*?
What we really need is something like Red Book, but for commercial firewalls.
Its OK getting a firewall product ratified to Red Book, but from what I understand
it cannot then be sold commercially. If there was a standard for firewalls, that
required someone like EDS to ratify the firewall product against the standard
we would get the assurance that the firewall was doing its job (on the presumption
its correctly installed!!).
In my books, assurance of something I cannot fully test comes from other peoples
experience or standards. This is one of the reasons that I like the Firewall
toolkit from TIS. Anyone can use it, and many people do, yet there have been no
flames or reported break-ins on a FWTK firewall. Thus one can presume its secure
... until someone proves otherwise.
However if the NSA turned round and said we have had Freds Firewall tested against
Red Book, and it passed, but we have not ratified it. I would be much happier in
relying on the firewall with the knowledge the NSA had checked it and had not
Could the IETF, IBM, DEC, EDS, ANS, TIS, etc create a standard??
Internet Security Specialist
Unit 216, Science Park
Milton Rd, Cambridge
England, CB4 4WA
Tel +44 (0)223 250328
EMail: andys @
net or andys @