The only thing that is B1 is what is on the Evaluated
Products List (EPL). To the NCSC (IMHO) a
firewall is a principle not a product or a security
feature.
Using a B1 system as an Internet firewall buys
you the *possibility* of Mandatory Access Control
(MAC) protection of data and processes assiciated
with one network interface from another. However,
without some customized gatewaying "glue" there
would be no way to join the two networks - something
that necessarily must occur ;-) This is essentially what
application gateways do however. You may want to
find out what part of the firewall is part of the *evaluated*
trusted computing base (TCB) and what part is custom firewall
code, which you can't trust any more than anybody
elses non-evaluated firewall code.
Typically, IMHO as ratings become more secure, the
skill and wizardry required to administer the system
increases. This is for a variety of reasons, but you have
to ask yourself if the added complexity will slow you
down at all during a security incident or cause additional
administrative down time.
As I see it B1+ systems do a good job providing general
purpose security features. It shouldn't be too surprising
that some of these features could be used to implement
an Internet firewall. However, one of the principles of
good firewall design is the "keep it simple" principle.
IMHO, a product designed to focus on the task at hand;
and ONLY on the task at hand, makes a better firewall.
Even without an NCSC evaluation.
If you employ a "multi-labeled data" security policy in
you private network then acronyms like TSIX, DNSIX
or MAXSIX might mean something to you. These protocols
allow B1+ systems to talk to each other. It would
make a lot of sence to have a B1 firewall if one side was
Internet and the other was TSIX (for example).
Regards,
Ned
(These opinions are mine and no one elses except by coincidence)
----------
|From: firewalls-owner
|To: firewalls
|Subject: B1 rated firewall
|Date: Thursday, February 16, 1995 6:29PM
|
|---------------------------------------------------------------
|A computer system manufacturer has pulled out thier B1 rated systems (OS
and
|hardware combo)
|
|they are now marketing it as a B1 rated firewall. Does any one know if
there
|are any B1 rated firewall products, or would a B1 rated OS make a good fire
|wall on its own?.
|
|Are applications running on a B1 rated system deemed B1?
|
|Does the Orange book make any reference to firewalls?
|
|--
||------------------------------------------------------------------------|
|| Bryon Bertrim | Hardware Canada Computing (613) 723-2359 |
|| bryon @
hcc-unisol .
com | Canada's One Stop Unix Shop |
||
||------------------------------------------------------------------------|
|
|
|
|
|
