> -----Original Message----- > From: Paul D. Robertson [mailto:[EMAIL PROTECTED]] > Sent: Thursday, 20 April 2000 4:20 AM > To: Rick Murphy > Cc: Firewalls > Subject: Re: Proxy Server for Cisco?? > > > On Wed, 19 Apr 2000, Rick Murphy wrote: > > > > > The only 2 firewalls that have passed NSA's security > tests are FW-1 and > > > PIX. So far. It all looks pretty new. From the source of the page: content="Built by build.pl v1.7a May 31, 1999, J. David Thompson"> Last mod was 1-27-00. The FAQ is still "under construction", too. [snip] > > What Oscar's reporting on is the Common Criteria testing of > firewalls by > > third-party commercial testing labs. Four firewalls have > received Common > > Criteria evaluations - Milkyway, PIX, Lucent Managed Firewall, and > > Firewall-1. Only Firewall-1 and PIX have been found > conformant to the NSA > > Firewall Protection Profile; Firewall-1 both traffic filter > and application > > gateway profiles. I had a quick read of the security targets (70 odd pages each. Ew. )- neither were very stressful. If you use NAT on either product, f'rinstance, or run more than two network cards then note that "It is ... emphasized that operating the TOE outside its evaluated configuration negates the security claims made in this ST". Neither product had their VPN capabilities evaluated. Also note that the level of evaluation only allows either box to protect (at most) "sensitive but not classified" information. > I haven't seen the firewall profile, but if the criteria is > the same vein > as the "normal" common criteria, I'm prepared to be totally > underwhelmed. Yeah, call me a cynic, but this looks like an easy way for some NIST/NSA approved companies to make lots of money "evaluating" security companies that have the time and money to spend on getting products rubber-stamped. No dount I'll be asked questions about this too, since it looks like the DSD here recognises the CC. Joy. > I haven't looked at the firewall profile specificly. > > Paul > -------------------------------------------------------------- > --------------- > Paul D. Robertson "My statements in this message are > personal opinions > [EMAIL PROTECTED] which may have no basis whatsoever in fact." > > PSB#9280 I did. Wasn't impressed. Call me nuts. This is not to say that I have an axe to grind against the PIX 520 or FW-1 - but this "endorsement" doesn't do anything to make my impression more positive. Cheers, -- Ben Nagy Network Consultant, Volante IT PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520 - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
