There are some very basic questions.
Why consider only assurance if your target is commercial/civil government?
Why would a European based company like Pipex want to depend on an old US
criteria when they can easily use the European ITSEC which is designed to
support commercial use?
Why would there be any benefit in encouraging vendors to re-invent the wheel
by producing yet another criteria?
What levels of assurance, integrity and availability are you expecting as a
Target Of Evaluation?
If you might be happy with a vendor defined criteria, why not accept a
vendor assurance of designed to meet an existing criteria with self test
using compliance suites?
Why assume that the lack of reported break-ins and no flames = a secure
product meeting all possible requirements?
Subject: Re: assurance for firewalls
Date: 08 November 1994 11:26
> Kurt F. Sauer writes:
> > It seems to me, though, that there ought to be some method of
> > risk associated with fielding a firewall, other than just to say that
> > is a risk of data from a "more sensitive network" flowing to a "less
> > tive" one.
> Yes and no. :)
> I'd add the caveat that there's a real temptation to attach
> numbers or matrices that might carry inaccurate assumptions, and which
> can lead to inaccurate conclusions. I'm not slamming anyone here -- I've
> caught myself doing this. You know, you're talking with some
> mink-coat-wearing russian spy in a sleazy bar and she asks how secure your
> firewall is and without thinking, you say, "Oh - probably 90%. I could
> real hard and maybe get it to 95%" It sounds good, but what does it
What we really need is something like Red Book, but for commercial
Its OK getting a firewall product ratified to Red Book, but from what I
it cannot then be sold commercially. If there was a standard for firewalls,
required someone like EDS to ratify the firewall product against the
we would get the assurance that the firewall was doing its job (on the
its correctly installed!!).
In my books, assurance of something I cannot fully test comes from other
experience or standards. This is one of the reasons that I like the Firewall
toolkit from TIS. Anyone can use it, and many people do, yet there have been
flames or reported break-ins on a FWTK firewall. Thus one can presume its
... until someone proves otherwise.
However if the NSA turned round and said we have had Freds Firewall tested
Red Book, and it passed, but we have not ratified it. I would be much
relying on the firewall with the knowledge the NSA had checked it and had
Could the IETF, IBM, DEC, EDS, ANS, TIS, etc create a standard??
Internet Security Specialist
Unit 216, Science Park
Milton Rd, Cambridge
England, CB4 4WA
Tel +44 (0)223 250328
EMail: andys @
net or andys @