Chris, I feel your thinking on this may be a bit narrow minded or you obviously do not live or work in the government sector, or in a large corporate environment.... Much weight IS given to those products that meet the common criteria and other testing marks. The reasons are many. * One, the person's making the decisions may not fully understand the technology, so some form of formal testing gives them a warm fuzzy and a chance to compare apples to oranges. Plus it ensures that money spent now, will not have to be spent again down the road when it comes time to integrate other things. They rely on information from accepted experts using established methodology and industry standards to provide them with insight into certain capabilities. Then they leave it up to so called experts to implement * Two, In this arena, there is a shortage of trained and qualified persons to test/evaluate and implement products. You are lucky to get someone trained and barely competent, only to lose them 6 months to a year later to someone willing to add a few zeroes to their weekly paychecks. Then you have to start all over. * Three, the technology is moving at such a rapid development pace these days, that nobody could keep up with it by themselves. So you have to pool your knowledge. Gone are the days where every company or agency could afford to set up a laboratory and do their own testing in some sort of bake off. That costs a great deal of money in time, manpower, space etc... So we rely on other's to do the work for them, then base their decisions off of that. Four, the common criteria will spin off in areas of compatibility that I don't think we even know exists... but one thing we do know, is that by signing up to a methodology and standard now, it will make things a hell of a lot easier down the road when it comes time to integrate new and emerging technology. > -----Original Message----- > From: Chris M. Lonvick [SMTP:[EMAIL PROTECTED]] > Sent: Tuesday, November 28, 2000 5:15 PM > To: Frederick M Avolio; [EMAIL PROTECTED]; [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: RE: > > At 03:37 PM 11/28/00 -0500, Frederick M Avolio wrote: > >At 12:14 PM 11/28/00 -0800, [EMAIL PROTECTED] wrote: > >>Take a look at these links for approved Firewalls > >>NSA: http://www.radium.ncsc.mil/tpep/index.html > >> > >>NIAP: http://niap.nist.gov/cc-scheme/ValidatedProducts.html > > > > > >Yes I encourage anyone who thinks that the Common Criteria sounds like a > wonderful invention to skim at least a few of the documents, but only > until your head starts swimming. Stop well before full vertigo sets in, if > you can. BVut don't lose sight of the security targets and that they are > product unique. > > Hi Fred, > > The STs are, by definition, unique to the products. I do recall that > some of the ITSEC C2 evaluations were sounding a bit cheesy. At one > point, I figured that I could get a Red Book C2 evaluation of a cinder > block if I wrote the ST to explicitly define how it blocked all > traffic between a trusted and an untrusted network. The Discretionary > Access Controls would be at the discretion of me. The installation > process would be rather simple and potentially fun. > 1. Cut all wires. > 2. Install CinderBlock (tm) Firewall by smashing it > on top of all other networking equipment. > 3. Adhere wires to the appropriate sides of the > CinderBlock (tm) Firewall with ABC gum. Make sure > that wires don't touch each other. > 4. Verify that Access Controls are working properly. > 5. Write check for annual maintenance. > > The Protection Profiles are an attempt to reign in all of the ponderously > great thoughts that went into the full-blown CC to provide guidelines > that apply to the environment; in this case, firewalls. The group that > put together the PP for "Traffic-Filter Firewall for Low Risk > Environments" did so with the thought that they could get something > together that would define the way that most people implement a firewall > in most situations. Having seen the way that some people run their > firewalls, I think that some of the criteria were a bit stringent. It > does, however, cover a lot of cases and it has a lot of good thoughts > in it. > > I will say that no one should select a product simply because it has (or > hasn't) passed some evaluation. In the case of NIAP (formerly TTAP), > people really should read the ST (no matter how much it makes their > head hurt) to find out how the product is addressing the PP. If they > find that it applies to their situation, then they can have some assurance > > that the product will do what the manufacturer says it will do, and that > it has been independently tested. If they find that the ST doesn't apply > to their situation, or that the product hasn't been evaluated, that > doesn't mean that the product should not be considered. There are a lot > of good products out there that havn't gone through the process. > > Later, > Chris > > - > [To unsubscribe, send mail to [EMAIL PROTECTED] with > "unsubscribe firewalls" in the body of the message.] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
