On Wed, 19 Apr 2000, Rick Murphy wrote:
> > > The only 2 firewalls that have passed NSA's security tests are FW-1 and
> > PIX.
> >
> >That's funny, I recall positive reports for Sidewinder and Guantlet, but I
> >think the mitten site was pulled about six months ago, do you have a
> >reference for the above assertion?
> Paul, you're thinking of the tests that NSA performed on firewalls a few
> years ago. They issued reports on their testing of Gauntlet, Sidewinder,
> and V-One Smartwall IIRC. NSA tested Firewall-1 but the results were never
> released.
Yep, that's the one!
> What Oscar's reporting on is the Common Criteria testing of firewalls by
> third-party commercial testing labs. Four firewalls have received Common
> Criteria evaluations - Milkyway, PIX, Lucent Managed Firewall, and
> Firewall-1. Only Firewall-1 and PIX have been found conformant to the NSA
> Firewall Protection Profile; Firewall-1 both traffic filter and application
> gateway profiles.
> Milkyway was tested in Canada; LMF was tested in the US but does not claim
> conformance to the US Firewall Protection Profile.
>
> So, Oscar's comment is correct if you replace "NSA's security test" with
> "NSA's security requirements". NSA isn't the sole author of the profile.
I haven't seen the firewall profile, but if the criteria is the same vein
as the "normal" common criteria, I'm prepared to be totally underwhelmed.
Having had some fairly involved discourse in the past with people who have
been through the CC certification for a product, I've absolutely no faith
in it. Obviously others do, and my second-hand education in firewall
testing mechanisms and policies is having an effect on my views of tests,
as well as my view of specific certification criteria and vendor
compliance.
>From my CC readings, discussions and information, I'm of the opinion that
there's too much vendor-specific wiggle room inside the criteria, but
again, I haven't looked at the firewall profile specificly.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
