Hi Fred,
I agree with everything you wrote. I would give the same caution
to people about the ICSA certification: Read and understand the
criteria used for the evaluation and see if it meets with your
requirements.
I've used this analogy before: Buying a firewall is like buying a
car.
- The simple minded make their choice on looks and color alone. The
somewhat better person would actually look under the hood. Those
people are a "wreck waiting to happen" and should be avoided (or
educated ;-).
- The more intelligent people would first decide how they were going
to use their vehicle and then select an appropriate model - pickup,
SUV, sedan, etc. They would also be likely to pick up a copy of a
comparison guide, or several comparison guides. One guide could
say that the testers use the same track and make the same measurements
over all of the vehicles they test to give a flat "apples to apples"
comparison. Another guide may say that they test the vehicles as they
are going to be used; performance cars on a racetrack, off-road
vehicles in the wild, etc., to give a comparison of like-vehicles.
Yet another guide could present customer satisfaction statistics.
- Making a decision solely upon the recommendation that it is the
"best" from any single comparison guide would be silly. The buyer
should really understand the guide and see what were the test criteria.
They should compare that to their own expectations of use.
More comments in-line.
At 05:29 PM 11/28/00 -0500, Frederick M Avolio wrote:
>Chris,
>
>STs and CCs and that's only part of the problem with this complex thing. My main
>hatred (hmmm, no that's not to strong a word) of the CC is that it easily fools the
>unsuspecting into thinking that it is *the* solution to their problems. It sounds so
>wonderful. A common, government blessed criteria. So they envision a single firewall
>criteria set that all firewalls have to achieve making their selection job much
>easier. But that is not what they get.
Agreed. That's why it's so critical that people looking at the CC
evaluations look at the ST. ..even if it makes their head hurt.
>In fact, I think it makes their selection harder because first they have to
>understand security targets and criteria sets and all the other stuff.
I'd have to say that the ICSA criteria must be read and understood before
people rely upon it for guidance.
http://www.icsa.net/html/communities/firewalls/certification/criteria/criteria_3.0a.shtml
People who find a product on the ICSA evaluation list and who have read
and understood the testing criteria will have one datum. People who
find a product on the NIAP evaluated products list and who read their
associated STs will have another datum. Anyone should be able to use
either of these as input to start making an informed decision.
>I've been on record in supporting ICSA Labs certification. I supported it when a
>vendor, and still do. But if you don't like ICSA then go with some other private
>sector certification. Or come up with your own with a simpler criteria set. Not one
>that covers every possible computer-based product that might need some kind of
>certification (ah ha! but it isn't even a certification, is it). The Common Criteria
>is cumbersome and looks like it was invented by government committee. And
>son-of-a-gun, it was...
Agreed. The CC evaluation is an evaluation.
_IF_ you set up the Target Of Evaluation in exactly the same manner
as specified by the Evaluated Configuration in the Security Target,
_THEN_ the Target of Evaluation will accomplish the Security Objectives.
I'd have to say that there are not too many people who actually do the
"if" clause. This is somewhat similar to the ICSA criteria - not everyone
sets up their firewall in the exact same manner as specified in the ICSA
lab reports. For the CC evaluation, that means that it has not been
evaluated so there is no assurance that it will meet the security
objectives. For the ICSA certification, it usually means that there's
more than one way to skin a cat.
>Sorry. I guess I'm ranting (though not raving.. yet). Better adjust my medication.
Which way? :-)
Later,
Chris
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
