OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: RE:
From: Chris M. Lonvick (clonvickcisco.com)
Date: Tue Nov 28 2000 - 16:15:15 CST

At 03:37 PM 11/28/00 -0500, Frederick M Avolio wrote:
>At 12:14 PM 11/28/00 -0800, wnafwhatcom.ctc.edu wrote:
>>Take a look at these links for approved Firewalls
>>NSA: http://www.radium.ncsc.mil/tpep/index.html
>>
>>NIAP: http://niap.nist.gov/cc-scheme/ValidatedProducts.html
>
>
>Yes I encourage anyone who thinks that the Common Criteria sounds like a wonderful invention to skim at least a few of the documents, but only until your head starts swimming. Stop well before full vertigo sets in, if you can. BVut don't lose sight of the security targets and that they are product unique.

Hi Fred,

The STs are, by definition, unique to the products. I do recall that
some of the ITSEC C2 evaluations were sounding a bit cheesy. At one
point, I figured that I could get a Red Book C2 evaluation of a cinder
block if I wrote the ST to explicitly define how it blocked all
traffic between a trusted and an untrusted network. The Discretionary
Access Controls would be at the discretion of me. The installation
process would be rather simple and potentially fun.
  1. Cut all wires.
  2. Install CinderBlock (tm) Firewall by smashing it
      on top of all other networking equipment.
  3. Adhere wires to the appropriate sides of the
      CinderBlock (tm) Firewall with ABC gum. Make sure
      that wires don't touch each other.
  4. Verify that Access Controls are working properly.
  5. Write check for annual maintenance.

The Protection Profiles are an attempt to reign in all of the ponderously
great thoughts that went into the full-blown CC to provide guidelines
that apply to the environment; in this case, firewalls. The group that
put together the PP for "Traffic-Filter Firewall for Low Risk
Environments" did so with the thought that they could get something
together that would define the way that most people implement a firewall
in most situations. Having seen the way that some people run their
firewalls, I think that some of the criteria were a bit stringent. It
does, however, cover a lot of cases and it has a lot of good thoughts
in it.

I will say that no one should select a product simply because it has (or
hasn't) passed some evaluation. In the case of NIAP (formerly TTAP),
people really should read the ST (no matter how much it makes their
head hurt) to find out how the product is addressing the PP. If they
find that it applies to their situation, then they can have some assurance
that the product will do what the manufacturer says it will do, and that
it has been independently tested. If they find that the ST doesn't apply
to their situation, or that the product hasn't been evaluated, that
doesn't mean that the product should not be considered. There are a lot
of good products out there that havn't gone through the process.

Later,
Chris

-
[To unsubscribe, send mail to majordomolists.gnac.net with
"unsubscribe firewalls" in the body of the message.]