> From: "mouss" <[EMAIL PROTECTED]>
>
> <snip>
> yes, these problems are more social and economical than technical, but can't
> anything be done to make things better?
> I think of something like deriving product categories with "exact"
> definitions and only delivering specific certificates
> for products that exactly match their definitions. to be more precise,
> saying that "a firewall is certified" is a
> thing that I'm not interested in, while having "this FW is certfied to be a
> category F234" will be more helpful.
What you have just described is a "Protection Profile", which is another
piece of the Common Criteria. A PP is basically a Security Target for
what is wanted rather than what has been built. A PP specifies the
intended environment, threats, etc.; plus it preselects certain security
features and assurances. A product going through an evaluation can
claim to be compliant with one or more PPs in addition to an evaluation
assurance level (EAL), though most if not all PPs will include an EAL
as part of the requirements.
The old C2 and B1 specs have been rewritten as PPs, and there is a lot
of effort going on to make PPs for specific kinds of products: firewalls,
operating systems, smart cards, databases, etc. The PP has to go through
an evaluation as well to make sure that it is consistent and that it meets
the requirements for a PP.
Some PPs can be seen at
http://www.radium.ncsc.mil/tpep
I understand that there are some more OS and Firewall PPs being built.
The Firewall PP that is at this location is designated as being for
"Low Risk Environments". I think the next one might be for medium
risk environments. SPARTA has an automated tool, called the CC Toolbox,
that will help you write STs and PPs. I think it only works on Wintel
boxes though.
paul
---------------------------------------------------------
Paul A. McNabb, CISSP Argus Systems Group, Inc.
Senior Vice President and CTO 1809 Woodfield Drive
[EMAIL PROTECTED] Savoy, IL 61874 USA
TEL 217-355-6308
FAX 217-355-1433 "Securing the Future"
---------------------------------------------------------
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
