On Fri, 3 May 2002, Thomas Syrstad wrote: > Why ICSA? What about Common Criteria?
More firewalls are tested by ICSA Labs[1] than all the CC labs put together AFAIK[2][2a]. > Common Criteria stribes to achieve International standards > for security products and CC have no commercial interests > in doing testing of "security products".... Bzzzt- CC acredited test labs are commercial entities. Also, unless all the products are submitted under the same protection profile, there's no way to tell if two products offer equiv. protection. Lastly, (and I understand there was a move to change to common PPs and perhaps address continuous testing) CC is a static test like the old TCSEC stuff- so if a new attack comes out, the test labs for CC don't shoot the attack against all currently certified products and revoke certification if the vendor doesn't patch.[3] I haven't looked recently to see if there's been progress on either front though- not that it would necessarily affect any of the currently evaluated products if there was. CC will be more useful if those happen though. CC is a lot like an ISO9001 certification, where the vendor can set the standards they'll be measured against and then get measured against them. This can be alleviated by using common profiles, but it's not necessary to achieve a good evaluation. ICSA Labs has looked at being a CC certification lab in the past, and I'm sure it'll be explored again in the future. It's certainly possible to take the current criteria and translate it to a CC profile. Personally, I don't see huge value in doing so, but others disagree with me[5]. Many product vendors see value in Common Criteria testing and certification. Many persue it because it's mandatory for certain markets. Many product vendors see value in ICSA Labs certification. Some persue it because it's mandatory for certain markets. Some vendors do both ICSA and Common Criteria certification. A few vendors do neither. The same is true of customers requiring one or the other program. With any certification program, it's important to understand the exact criteria, methodology and interests involved before relying on the outcome to make a choice. Paul [1] I work for TruSecure, ICSA Labs is one of our divisions. [2] This could be a good or a bad thing, your evaluation may differ from mine. [2a] Contrary to popular opinion not every product that's tested passes. [3] ICSA Labs is in continuous deployment mode for all certified products and regularly shoots new attacks at them. Vendors must resist new attacks or lose certification. [4] ICSA Labs uses a common test criteria for all products and configures the products to pass the same sorts of traffic- which would be the equiv. of using the same PP in CC land. [5] My personal opinion has no bearing on what the Labs does or will do in that arena. [6] That's way too many footnotes! ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact." _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
