Great Circle Associates Firewalls
(November 1994)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: assurance for firewalls
From: "Johnson-Bryden, Ian" <IJB @ saicuk . co . uk>
Date: Wed, 09 Nov 94 13:56:00 GMT
To: "'Firewalls @ GreatCircle . COM'" <Firewalls @ GreatCircle . COM>
Encoding: 97 TEXT

There are some very basic questions.

Why consider only assurance if your target is commercial/civil government?

Why would a European based company like Pipex want to depend on an old US 
criteria when they can easily use the European ITSEC which is designed to 
support commercial use?

Why would there be any benefit in encouraging vendors to re-invent the wheel 
by producing yet another criteria?

What levels of assurance, integrity and availability are you expecting as a 
Target Of Evaluation?

If you might be happy with a vendor defined criteria, why not accept a 
vendor assurance of designed to meet an existing criteria with self test 
using compliance suites?

Why assume that the lack of reported break-ins and no flames = a secure 
product meeting all possible requirements?

Ian J-B
From: firewalls-owner
To: Firewalls-digest
Subject: Re: assurance for firewalls
Date: 08 November 1994 11:26

> Kurt F. Sauer writes:
> > It seems to me, though, that there ought to be some method of 
> > risk associated with fielding a firewall, other than just to say that
> > is a risk of data from a "more sensitive network" flowing to a "less
> > tive" one.
>       Yes and no. :)
>       I'd add the caveat that there's a real temptation to attach
> numbers or matrices that might carry inaccurate assumptions, and which
> can lead to inaccurate conclusions. I'm not slamming anyone here -- I've
> caught myself doing this. You know, you're talking with some 
> mink-coat-wearing russian spy in a sleazy bar and she asks how secure your
> firewall is and without thinking, you say, "Oh - probably 90%. I could 
> real hard and maybe get it to 95%"  It sounds good, but what does it 

What we really need is something like Red Book, but for commercial 

Its OK getting a firewall product ratified to Red Book, but from what I
it cannot then be sold commercially. If there was a standard for firewalls,
required someone like EDS to ratify the firewall product against the 
we would get the assurance that the firewall was doing its job (on the
its correctly installed!!).

In my books, assurance of something I cannot fully test comes from other
experience or standards. This is one of the reasons that I like the Firewall
toolkit from TIS. Anyone can use it, and many people do, yet there have been
flames or reported break-ins on a FWTK firewall. Thus one can presume its
... until someone proves otherwise.

However if the NSA turned round and said we have had Freds Firewall tested
Red Book, and it passed, but we have not ratified it. I would be much 
relying on the firewall with the knowledge the NSA had checked it and had 
broken it.

Could the IETF, IBM, DEC, EDS, ANS, TIS, etc create a standard??


Andy Smith
Internet Security Specialist
Unit 216, Science Park
Milton Rd, Cambridge
England, CB4 4WA
Tel +44 (0)223 250328
EMail: andys @
 pipex .
 net or andys @
 unipalm .
 co .

Indexed By Date Previous: Re: Harris Systems
From: Chris Spinolo <spig @ lanman . gsfc . nasa . gov>
Next: Re: Firewall OpSys
From: "Kurt S. Plowman" <PLOWMAKS @ cspc13 . unos . org>
Indexed By Thread Previous: Re: assurance for firewalls
From: Rick Smith <smith @ sctc . com>
Next: Re: assurance for firewalls
From: Rick Smith <smith @ sctc . com>

Search Internet Search