At 03:37 PM 11/28/00 -0500, Frederick M Avolio wrote: >At 12:14 PM 11/28/00 -0800, [EMAIL PROTECTED] wrote: >>Take a look at these links for approved Firewalls >>NSA: http://www.radium.ncsc.mil/tpep/index.html >> >>NIAP: http://niap.nist.gov/cc-scheme/ValidatedProducts.html > > >Yes I encourage anyone who thinks that the Common Criteria sounds like a wonderful >invention to skim at least a few of the documents, but only until your head starts >swimming. Stop well before full vertigo sets in, if you can. BVut don't lose sight of >the security targets and that they are product unique. Hi Fred, The STs are, by definition, unique to the products. I do recall that some of the ITSEC C2 evaluations were sounding a bit cheesy. At one point, I figured that I could get a Red Book C2 evaluation of a cinder block if I wrote the ST to explicitly define how it blocked all traffic between a trusted and an untrusted network. The Discretionary Access Controls would be at the discretion of me. The installation process would be rather simple and potentially fun. 1. Cut all wires. 2. Install CinderBlock (tm) Firewall by smashing it on top of all other networking equipment. 3. Adhere wires to the appropriate sides of the CinderBlock (tm) Firewall with ABC gum. Make sure that wires don't touch each other. 4. Verify that Access Controls are working properly. 5. Write check for annual maintenance. The Protection Profiles are an attempt to reign in all of the ponderously great thoughts that went into the full-blown CC to provide guidelines that apply to the environment; in this case, firewalls. The group that put together the PP for "Traffic-Filter Firewall for Low Risk Environments" did so with the thought that they could get something together that would define the way that most people implement a firewall in most situations. Having seen the way that some people run their firewalls, I think that some of the criteria were a bit stringent. It does, however, cover a lot of cases and it has a lot of good thoughts in it. I will say that no one should select a product simply because it has (or hasn't) passed some evaluation. In the case of NIAP (formerly TTAP), people really should read the ST (no matter how much it makes their head hurt) to find out how the product is addressing the PP. If they find that it applies to their situation, then they can have some assurance that the product will do what the manufacturer says it will do, and that it has been independently tested. If they find that the ST doesn't apply to their situation, or that the product hasn't been evaluated, that doesn't mean that the product should not be considered. There are a lot of good products out there that havn't gone through the process. Later, Chris - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
