Re: Is OpenBSD + PF accredited or certified in any way ?
* Keith [2010-02-02 00:16]: > I've used OpenBSD & PF for a number of years without issue and am > now in the position that I want to create a dmz between the Internet > and my organisations WAN. Our security people are asking if the > firewall that we use is accreditated by ITSEC and I am pretty sure > it isn't but it turns out that our security people will be happy is > the firewall is accredited for use by another government ! i herewith certify openbsd + pf for use by government clowns -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
Re: Is OpenBSD + PF accredited or certified in any way ?
On 2 February 2010 10:06, Keith wrote: > I've used OpenBSD & PF for a number of years without issue and am now in the > position that I want to create a dmz between the Internet and my > organisations WAN. Our security people are asking if the firewall that we > use is accreditated by ITSEC and I am pretty sure it isn't but it turns out > that our security people will be happy is the firewall is accredited for use > by another government ! For the interest factor (and since I can't find the email it's just hearsay), I sent an email to the OpenBSD sparc mailing list in December 2005 and to my surprise, received an out-of-office on-holidays bounce back from someone in the Pentagon Army Operations Center! However, governments the World over staffed with people who hate their jobs, have difficulty getting public transport working. So how they're supposed to accredit something as complex as an OS is beyond me! That sort of crap is for arse covering anyway. For washing ones hands of the problem and being able to claim to have performed due diligence, even if they know it's a bullshit exercise.
Re: Is OpenBSD + PF accredited or certified in any way ?
On Wed, Feb 03, 2010 at 11:10:59PM +0100, Martin Schr?der wrote:
> 2010/2/3 Jean-Francois :
> > Not clear for me, does this firewall reach EAL4+ or EAL6 as stated in their
> > doc
> "Certified by the BSI according to CC at the level EAL 4+"
> http://www.genua.de/genua/kunden/index.en.html
ITYM http://www.genua.de/produkte/firewall/genugate/zerti/index.en.html
The EAL6 refers to the augmentations they did to the EAL4 package (the
"+" in EAL4+). Nonetheless, neither means *anything* unless you've also
read the claims they've made ("Security Target"). In theory, they could
evaluate the whole firewall under the assumption that no network
connections are present and *still* get a valid EAL4+ certification - so
you really need to know what the claims were.
Genua themselves don't seem to provide easy access on their own site to
the Security Target (though I didn't search very thoroughly), but you
stand a good chance of finding the full public report on
http://www.commoncriteriaportal.org/
Cheerio,
Thomas
--
** PLEASE: NO Cc's to me privately, I do read the list - thanks! **
-
Thomas Ribbrockhttp://www.ribbrock.org
"You have to live on the edge of reality - to make your dreams come true!"
Re: Is OpenBSD + PF accredited or certified in any way ?
2010/2/3 Jean-Francois : > Not clear for me, does this firewall reach EAL4+ or EAL6 as stated in their > doc "Certified by the BSI according to CC at the level EAL 4+" http://www.genua.de/genua/kunden/index.en.html Best Martin
Re: Is OpenBSD + PF accredited or certified in any way ?
Le mardi 02 fivrier 2010 20:29:29, Martin Schrvder a icrit : > 2010/2/2 Keith : > > Can anyone help me out ? > > If you need professional services: > http://www.genua.de/produkte/firewall/genugate/index.en.html > > Their firewalls are OpenBSD based. > > Best > Martin > Not clear for me, does this firewall reach EAL4+ or EAL6 as stated in their doc (http://www.genua.de/dateien/genugate-salesfolder-en.pdf) ?
Re: Is OpenBSD + PF accredited or certified in any way ?
Eugene Yunak wrote: 2010/2/2 Keith : organisations WAN. Our security people are asking if the firewall that we use is accreditated by ITSEC and I am pretty sure it isn't but it turns out that our security people will be happy is the firewall is accredited for use by another government ! Ukrainian government has certified a distribution called BBOS that basically is a customised OpenBSD, .."In Soviet Russia, OpenBSD certifies you!"
Re: Is OpenBSD + PF accredited or certified in any way ?
2010/2/2 Keith : > I've used OpenBSD & PF for a number of years without issue and am now in the > position that I want to create a dmz between the Internet and my > organisations WAN. Our security people are asking if the firewall that we > use is accreditated by ITSEC and I am pretty sure it isn't but it turns out > that our security people will be happy is the firewall is accredited for use > by another government ! > > I am very happy with my PF firewalls and their reliability and don't want to > be forced into purchasing some cisco / forenet comercial firewall that I've > never used before so am desperate to find some details of any foreign > governments that are using OpenBSD / PF as a firewall or any details of any > certification of the PF firewall. > > Can anyone help me out ? > > Thanks > Keith > Ukrainian government has certified a distribution called BBOS that basically is a customised OpenBSD, modified for compatibility with local security standards, for the use as servers and clients with access to internet and protect information classified as government secret. http://www.atmnis.com/documents.php?lng=ENG http://www.atmnis.com/files/user_files/BBOS.pdf http://www.atmnis.com/files/user_files/BBOS_OS.pdf -- The best the little guy can do is what the little guy does right
Re: Is OpenBSD + PF accredited or certified in any way ?
On Tue, Feb 02, 2010 at 02:15:00PM -0500, Brad Tilley wrote: > Common Criteria - http://www.iso15408.net [...] > I think the certification process can be very narrowly focused on a > few parts of the system [...] Yup, that's the whole idea behind CC - all the evaluation does is verify the claims that the vendor has outlined in the "Security Target" (ST). The "EAL" levels only tell you to what depth this has been done. Hence, the "EAL" tells you zilch unless you also read the ST (i.e. the vendor claims). In some areas (e.g. smartcards), requirements for STs have been standardised to some extent, so the CC results are more comparable - but in other areas, vendors can pretty much claim what they want... Cheerio, Thomas -- ** PLEASE: NO Cc's to me privately, I do read the list - thanks! ** - Thomas Ribbrockhttp://www.ribbrock.org "You have to live on the edge of reality - to make your dreams come true!"
Re: Is OpenBSD + PF accredited or certified in any way ?
On 03/02/2010, at 8:49 PM, Stuart Henderson wrote: > On 2010-02-01, Keith wrote: >> I've used OpenBSD & PF for a number of years without issue and am now in >> the position that I want to create a dmz between the Internet and my >> organisations WAN. Our security people are asking if the firewall that >> we use is accreditated by ITSEC and I am pretty sure it isn't but it >> turns out that our security people will be happy is the firewall is >> accredited for use by another government ! > > You could always put an accredited firewall behind the real one. > This also means you can tick the 'multi-vendor' box. > > To reduce your management hassles you could just leave all ports open. leave them open on the accredited firewall of course.
Re: Is OpenBSD + PF accredited or certified in any way ?
On 2010-02-01, Keith wrote: > I've used OpenBSD & PF for a number of years without issue and am now in > the position that I want to create a dmz between the Internet and my > organisations WAN. Our security people are asking if the firewall that > we use is accreditated by ITSEC and I am pretty sure it isn't but it > turns out that our security people will be happy is the firewall is > accredited for use by another government ! You could always put an accredited firewall behind the real one. This also means you can tick the 'multi-vendor' box. To reduce your management hassles you could just leave all ports open.
Re: Is OpenBSD + PF accredited or certified in any way ?
> Given such limitations, perhaps you might propose a more > open evaluation and make code access for audit, including by escrow > access for an established third-party authority, as a major criteria? To simplify things, I have just certified the 4.6/i386 GENERIC that runs my router as "The Best Damn OS On Earth For The Job". So yeah, OpenBSD+pf is accredited now.
Re: Is OpenBSD + PF accredited or certified in any way ?
Oh come on. Security certification is a laughably stupid concept. Giving it any sort of lip service is disingenuous. On Tue, Feb 02, 2010 at 02:15:00PM -0500, Brad Tilley wrote: > On Tue, 02 Feb 2010 18:09 +, "Bayard Bell" > wrote: > > Formal evaluation just means that the features judged relevant to the > > evaluation can be minimally verified. On the flip side, there's David > > Litchfield's observation in the introduction to The Oracle Hacker's > > Handbook: "The Oracle RDBMS was evaluated under Common Criteria to > > EAL4... However, the first few versions of Oracle that gained EAL4 had > > a buffer overflow in the authentication mechanism." He goes on to that > > standards are necessary to some extent but not fully indicative. > > You'll find summary arguments and starting links off the Common > > Criteria's Wikipedia entry. Given such limitations, perhaps you might > > propose a more open evaluation and make code access for audit, > > including by escrow access for an established third-party authority, > > as a major criteria? > > Common Criteria - http://www.iso15408.net - has largely replaced ITSEC and > others. Like some other ISO standards, you may have to purchase a copy. I > would say that CC makes some people feel good, but does little in the way of > real Security. Microsoft Windows XP is EAL4 certified when configured certain > ways. I think the certification process can be very narrowly focused on a few > parts of the system so the vendor can say, "Look at this component of our OS, > but not those" or "Certify our OS when configured a certain way". > > It's a costly process too and takes awhile to complete. I'm not sure any open > source OS is certified. For proft, vendor backed Linux distributions (RHEL) > may be as they have the time and money to waste on it and TrustedBSD makes > reference to CC, but I don't think it's certified. > > Brad > > > Am 1 Feb 2010 um 23:06 schrieb Keith: > > > > > I've used OpenBSD & PF for a number of years without issue and am > > > now in the position that I want to create a dmz between the Internet > > > and my organisations WAN. Our security people are asking if the > > > firewall that we use is accreditated by ITSEC and I am pretty sure > > > it isn't but it turns out that our security people will be happy is > > > the firewall is accredited for use by another government ! > > > > > > I am very happy with my PF firewalls and their reliability and don't > > > want to be forced into purchasing some cisco / forenet comercial > > > firewall that I've never used before so am desperate to find some > > > details of any foreign governments that are using OpenBSD / PF as a > > > firewall or any details of any certification of the PF firewall. > > > > > > Can anyone help me out ? > > > > > > Thanks > > > Keith > > > > > > > > > __ Information from ESET NOD32 Antivirus, version of virus > > > signature database 4825 (20100201) __ > > > > > > The message was checked by ESET NOD32 Antivirus. > > > > > > http://www.eset.com
Re: Is OpenBSD + PF accredited or certified in any way ?
2010/2/2 Keith : > Can anyone help me out ? If you need professional services: http://www.genua.de/produkte/firewall/genugate/index.en.html Their firewalls are OpenBSD based. Best Martin
Re: Is OpenBSD + PF accredited or certified in any way ?
On Mon, Feb 1, 2010 at 18:06, Keith wrote: > I am very happy with my PF firewalls and their reliability and don't want to > be forced into purchasing some cisco / forenet comercial firewall that I've > never used before so am desperate to find some details of any foreign > governments that are using OpenBSD / PF as a firewall or any details of any > certification of the PF firewall. It is my opinion that its use at Defcon should be more than adequate to "certify" it for your needs.
Re: Is OpenBSD + PF accredited or certified in any way ?
On Tue, 02 Feb 2010 18:09 +, "Bayard Bell" wrote: > Formal evaluation just means that the features judged relevant to the > evaluation can be minimally verified. On the flip side, there's David > Litchfield's observation in the introduction to The Oracle Hacker's > Handbook: "The Oracle RDBMS was evaluated under Common Criteria to > EAL4... However, the first few versions of Oracle that gained EAL4 had > a buffer overflow in the authentication mechanism." He goes on to that > standards are necessary to some extent but not fully indicative. > You'll find summary arguments and starting links off the Common > Criteria's Wikipedia entry. Given such limitations, perhaps you might > propose a more open evaluation and make code access for audit, > including by escrow access for an established third-party authority, > as a major criteria? Common Criteria - http://www.iso15408.net - has largely replaced ITSEC and others. Like some other ISO standards, you may have to purchase a copy. I would say that CC makes some people feel good, but does little in the way of real Security. Microsoft Windows XP is EAL4 certified when configured certain ways. I think the certification process can be very narrowly focused on a few parts of the system so the vendor can say, "Look at this component of our OS, but not those" or "Certify our OS when configured a certain way". It's a costly process too and takes awhile to complete. I'm not sure any open source OS is certified. For proft, vendor backed Linux distributions (RHEL) may be as they have the time and money to waste on it and TrustedBSD makes reference to CC, but I don't think it's certified. Brad > Am 1 Feb 2010 um 23:06 schrieb Keith: > > > I've used OpenBSD & PF for a number of years without issue and am > > now in the position that I want to create a dmz between the Internet > > and my organisations WAN. Our security people are asking if the > > firewall that we use is accreditated by ITSEC and I am pretty sure > > it isn't but it turns out that our security people will be happy is > > the firewall is accredited for use by another government ! > > > > I am very happy with my PF firewalls and their reliability and don't > > want to be forced into purchasing some cisco / forenet comercial > > firewall that I've never used before so am desperate to find some > > details of any foreign governments that are using OpenBSD / PF as a > > firewall or any details of any certification of the PF firewall. > > > > Can anyone help me out ? > > > > Thanks > > Keith > > > > > > __ Information from ESET NOD32 Antivirus, version of virus > > signature database 4825 (20100201) __ > > > > The message was checked by ESET NOD32 Antivirus. > > > > http://www.eset.com
Re: Is OpenBSD + PF accredited or certified in any way ?
Formal evaluation just means that the features judged relevant to the evaluation can be minimally verified. On the flip side, there's David Litchfield's observation in the introduction to The Oracle Hacker's Handbook: "The Oracle RDBMS was evaluated under Common Criteria to EAL4... However, the first few versions of Oracle that gained EAL4 had a buffer overflow in the authentication mechanism." He goes on to that standards are necessary to some extent but not fully indicative. You'll find summary arguments and starting links off the Common Criteria's Wikipedia entry. Given such limitations, perhaps you might propose a more open evaluation and make code access for audit, including by escrow access for an established third-party authority, as a major criteria? Am 1 Feb 2010 um 23:06 schrieb Keith: I've used OpenBSD & PF for a number of years without issue and am now in the position that I want to create a dmz between the Internet and my organisations WAN. Our security people are asking if the firewall that we use is accreditated by ITSEC and I am pretty sure it isn't but it turns out that our security people will be happy is the firewall is accredited for use by another government ! I am very happy with my PF firewalls and their reliability and don't want to be forced into purchasing some cisco / forenet comercial firewall that I've never used before so am desperate to find some details of any foreign governments that are using OpenBSD / PF as a firewall or any details of any certification of the PF firewall. Can anyone help me out ? Thanks Keith __ Information from ESET NOD32 Antivirus, version of virus signature database 4825 (20100201) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com
Re: Is OpenBSD + PF accredited or certified in any way ?
On Mon, Feb 01, 2010 at 11:06:12PM +, Keith wrote: > firewall that I've never used before so am desperate to find some > details of any foreign governments that are using OpenBSD / PF as a > firewall or any details of any certification of the PF firewall. Did you see the "Governments" section of http://www.openbsd.org/users.html ?
Re: Is OpenBSD + PF accredited or certified in any way ?
those are some funny clowns. OMGITSEC hilarious! On Mon, Feb 01, 2010 at 11:06:12PM +, Keith wrote: > I've used OpenBSD & PF for a number of years without issue and am now in > the position that I want to create a dmz between the Internet and my > organisations WAN. Our security people are asking if the firewall that > we use is accreditated by ITSEC and I am pretty sure it isn't but it > turns out that our security people will be happy is the firewall is > accredited for use by another government ! > > I am very happy with my PF firewalls and their reliability and don't > want to be forced into purchasing some cisco / forenet comercial > firewall that I've never used before so am desperate to find some > details of any foreign governments that are using OpenBSD / PF as a > firewall or any details of any certification of the PF firewall. > > Can anyone help me out ? > > Thanks > Keith > > > __ Information from ESET NOD32 Antivirus, version of virus signature > database 4825 (20100201) __ > > The message was checked by ESET NOD32 Antivirus. > > http://www.eset.com
Is OpenBSD + PF accredited or certified in any way ?
I've used OpenBSD & PF for a number of years without issue and am now in the position that I want to create a dmz between the Internet and my organisations WAN. Our security people are asking if the firewall that we use is accreditated by ITSEC and I am pretty sure it isn't but it turns out that our security people will be happy is the firewall is accredited for use by another government ! I am very happy with my PF firewalls and their reliability and don't want to be forced into purchasing some cisco / forenet comercial firewall that I've never used before so am desperate to find some details of any foreign governments that are using OpenBSD / PF as a firewall or any details of any certification of the PF firewall. Can anyone help me out ? Thanks Keith __ Information from ESET NOD32 Antivirus, version of virus signature database 4825 (20100201) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com
