At 02:49 PM 4/19/00 -0400, Paul D. Robertson wrote:
>On Wed, 19 Apr 2000, Rick Murphy wrote:
---prior comments deleted for brevity---
Hi,
Here are some pointers and my explanation of the CC evaluation.
First off, the on-line documents are listed below.
The overall home page is here:
http://www.radium.ncsc.mil/tpep/
The Trusted Product Evaluation Program (TPEP) page is here:
http://www.radium.ncsc.mil/tpep/tpep.html
The Evaluated Products List (EPL) is here:
http://www.radium.ncsc.mil/tpep/epl/index.html
The Traffic Filter Firewall Protection Profile (PP) for Low Risk
Environments is here:
http://www.radium.ncsc.mil/tpep/library/protection_profiles/index.html
The Security Target (ST) for the Cisco PIX is here:
http://www.radium.ncsc.mil/tpep/library/fers/TTAP-ST-0002.pdf
And the Final Evaluation Report (FER) is here:
http://www.radium.ncsc.mil/tpep/library/fers/TTAP-FER-0002.pdf
(Look around and I'll bet that you can find the docs for the Firewall-1
evaluation as well. ;-)
And, a FAQ about all of this is here:
http://www.radium.ncsc.mil/tpep/process/faq.html
To simply put it, the formal evaluation process is to try to get things
on a level playing field. The Protection Profile for Low Risk Environments
was written with the thought that each applicant would have to address each
of the requirements for a "firewall" (as it is defined in the PP). For
each requirement, we wrote how the PIX addressed it. We had to go through
explanations of the mechanisms of the features of the PIX for justification.
At the end of that, armed with our lengthy set of documents, Computer
Sciences Corp. (the evaluator) tested the PIX to assure that it did indeed
meet the requirements in the ways that were described and that each
requirement of the PP was satisfied with the way that it was addressed by
the PIX.
Let me go through a short diatribe of, "How does this relate to me?"
{Where "me" refers to the person looking for a "firewall".}
Do not interpret this to mean that the PIX or the Firewall-1 is "better"
than any other firewall because of this certification. What this means is
that we (and Checkpoint) addressed the requirements of the PP, and our
mechanisms and processes passed the formal evaluation. _IF_ you read and
understand the PP and the FER of each evaluated product, _THEN_ you can see
if any of those products will meet your own requirements. By reading these
things, you can also gage the amount of "wiggle room" in how we addressed
each requirement. In some respects the Protection Profiles are an attempt
to severely reduce the "wiggle room". The authors tried to distill the
actual and implementable requirements for a firewall that would meet certain
conditions. They wanted something that would be very "real world". They
actually held meetings and solicited comments to try to get a robust
definition of the capabilities of a "firewall".
Saying that however, this does get back to the question of which firewall
is the "best" -as has been discussed on this list for years. There is no
"best". There is no security "one size fits all" solution. My best and
most honest recommendation is to find a firewall that meets your goals and
satisfies your policies. This is actually in-line with the recommendations
of NCSC as they answer the question of "Should I buy an evaluated product?"
http://www.radium.ncsc.mil/tpep/process/faq-sect6.html#Q1
My final summary:
WRONG: I'm going to get a firewall that has been certified because that
must mean it's good.
RIGHT: I have written my security policy and can articulate my requirements
in a firewall. Now I'll go looking for something that will meet my
expectations.
I hope that this helps to get the facts out about this certification.
Thanks,
Chris Lonvick
Cisco Systems
Consulting Engineering
Office of the CTO
+1.512.378.1182
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
