>>>>> "Bill" == Bill Stout <stoutb @
Bill> I am in the process of compiling a checklist for Corporate-level
Bill> Firewall evaluations. Has anyone done this already?
You mean written down? :-)
This looks pretty good ... a few comments...
Bill> o O.S. Support
It might also be useful at this point to consider the level of
reliance on the OS. In most cases, there is significant reliance on
the security of the underlying OS for the integrity and security of
the "firewalling" application itself. However, it's certainly
possible to build one in such a way that there is no reliance on the
underlying OS. (i.e., is the application writing to the bare metal?)
I don't know of any commercial offerings that locally support a
general purpose OS but don't trust it for anything.
Bill> o Attack Response
How about attack detection? :-)
Bill> o Protocol support (Intranet)
(As opposed to Internet? I think I'm missing something here...)
Bill> o Desktop O.S. authentication support
Might be useful to turn this into a less host-centric view and more of
a net-centric one, i.e., support of NDS, X.509, kerberos, etc., for
authentication. Desktop OSes and authentication don't mix well.
Bill> o Encryption support/VPNs
Some good add-ons here would be some questions that should determine
whether the crypto is any good. My Snake Oil FAQ has some pretty good
warning signs that could be easily made into questions...
Bill> o Scalability
And, of course, finding out _how_ the thing scales is important. Is
it really scaling, or is it clustering? :-)
Bill> o Certifications
I don't know that I'd even bother with this. Sort of perpetuates the
myth that it means anything more than it being possible to configure
the thing in a way that's more secure than a wide-open router.
Bill> o Cost of Ownership
Administrative overhead might be worth a mention here, or as a
subtopic of this. What kind of expertise does it require for
day-to-day stuff, etc.
o training availability and pricing
o vendor support
o hype factor :-)
o longevity in building good _security_ applications
o sales junk ... are they suggesting that someone can effectively run
the thing without any clue about IP, security, or anything like
that? If so, they're almost certainly full of it. I bet I can
configure the thing poorly enough to render it almost useless,
security-wise. If I can, I'll bet that there are people out there
Matt Curtin Chief Scientist Megasoft Online cmcurtin @
http://www.research.megasoft.com/people/cmcurtin/ I speak only for myself
Pull AGIS.NET's plug! Crack DES NOW! http://www.frii.com/~rcv/deschall.htm