Great Circle Associates Firewalls
(November 1994)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: assurance for firewalls
From: "Johnson-Bryden, Ian" <IJB @ saicuk . co . uk>
Date: Wed, 09 Nov 94 13:56:00 GMT
To: "'Firewalls @ GreatCircle . COM'" <Firewalls @ GreatCircle . COM>
Encoding: 97 TEXT

There are some very basic questions.

Why consider only assurance if your target is commercial/civil government?

Why would a European based company like Pipex want to depend on an old US 
criteria when they can easily use the European ITSEC which is designed to 
support commercial use?

Why would there be any benefit in encouraging vendors to re-invent the wheel 
by producing yet another criteria?

What levels of assurance, integrity and availability are you expecting as a 
Target Of Evaluation?

If you might be happy with a vendor defined criteria, why not accept a 
vendor assurance of designed to meet an existing criteria with self test 
using compliance suites?

Why assume that the lack of reported break-ins and no flames = a secure 
product meeting all possible requirements?

Ian J-B
 ----------
From: firewalls-owner
To: Firewalls-digest
Subject: Re: assurance for firewalls
Date: 08 November 1994 11:26

> Kurt F. Sauer writes:
> > It seems to me, though, that there ought to be some method of 
determining
the
> > risk associated with fielding a firewall, other than just to say that
there
> > is a risk of data from a "more sensitive network" flowing to a "less
sensi-
> > tive" one.
>
>       Yes and no. :)
>
>       I'd add the caveat that there's a real temptation to attach
> numbers or matrices that might carry inaccurate assumptions, and which
> can lead to inaccurate conclusions. I'm not slamming anyone here -- I've
> caught myself doing this. You know, you're talking with some 
sultry-looking
> mink-coat-wearing russian spy in a sleazy bar and she asks how secure your
> firewall is and without thinking, you say, "Oh - probably 90%. I could 
work
> real hard and maybe get it to 95%"  It sounds good, but what does it 
*MEAN*?

What we really need is something like Red Book, but for commercial 
firewalls.

Its OK getting a firewall product ratified to Red Book, but from what I
understand
it cannot then be sold commercially. If there was a standard for firewalls,
that
required someone like EDS to ratify the firewall product against the 
standard
we would get the assurance that the firewall was doing its job (on the
presumption
its correctly installed!!).

In my books, assurance of something I cannot fully test comes from other
peoples
experience or standards. This is one of the reasons that I like the Firewall
toolkit from TIS. Anyone can use it, and many people do, yet there have been
no
flames or reported break-ins on a FWTK firewall. Thus one can presume its
secure
... until someone proves otherwise.

However if the NSA turned round and said we have had Freds Firewall tested
against
Red Book, and it passed, but we have not ratified it. I would be much 
happier
in
relying on the firewall with the knowledge the NSA had checked it and had 
not
broken it.

Could the IETF, IBM, DEC, EDS, ANS, TIS, etc create a standard??

Andy


Andy Smith
Internet Security Specialist
PIPEX
Unit 216, Science Park
Milton Rd, Cambridge
England, CB4 4WA
Tel +44 (0)223 250328
EMail: andys @
 pipex .
 net or andys @
 unipalm .
 co .
 uk


Indexed By Date Previous: Re: Harris Systems
From: Chris Spinolo <spig @ lanman . gsfc . nasa . gov>
Next: Re: Firewall OpSys
From: "Kurt S. Plowman" <PLOWMAKS @ cspc13 . unos . org>
Indexed By Thread Previous: Re: assurance for firewalls
From: Rick Smith <smith @ sctc . com>
Next: Re: assurance for firewalls
From: Rick Smith <smith @ sctc . com>

Google
 
Search Internet Search www.greatcircle.com