> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Cheth Cheth > Sent: Tuesday, May 28, 2002 10:36 AM > To: [EMAIL PROTECTED] > Subject: ITSEC E3 firewalls > > > > I have some questions about E3 compliant firewalls that some > of you may be able to help with: > > - I know that FW-1 4.1 SP2 on Solaris 2.6 is E3 certified. Is > SP5 and NG certified?
Not as far as I can see. NG is in eval for both E3 and EAL4 (the CC equivalent of E3). Note that 4.1 is not formally EAL4 certified. This may or may not be relevant to you. > - Any ideas when FW-1 on Nokia IPSO will be certified? You'd need to see the TOE (target of evaluation) for NG, as to whether IPSO is one of the evaluated operating systems. In any case, the IPSO appliance is independantly in eval for E3 by itself. I have no idea what the TOE will be though - it's hard to create a meaningful test for a box that does nothing much by itself. > - Is it true that an E3 firewall can only have one interface > attached to an untursted network? No. E3 is not really one of the very high assurance targets. The main good thing about E3 is that the testing involves source code review, and that it's what we call "crystal box" testing (the testers can find dodgy bits of code and specifically test those bits to see if they are broken). I think the most important thing to realise is that the certification body only looks at the bits the vendor tells it to. One classic example is the old Cisco PIX TOE, which excluded the NAT functionality - but they still got the stamp. This is why it's very important to download the certification report for the product you're interested in and read it carefully. > Thanks in advance, > > C. You can find lots of ITSec / CC documentation here: http://www.cesg.gov.uk/assurance/iacs/itsec/index.htm Cheers, -- Ben Nagy Network Security Specialist Mb: TBA PGP Key ID: 0x1A86E304 _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
