|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Penetration testing via shrinkware
Christopher Nicholls (chrisn
softway.com.au)
Wed, 23 Sep 1998 11:10:26 +1000
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Aaron D. Turner: "Re: FW-1: Questions about DHCP and IPX"
- Previous message: arkeltex.ru: "Re: FW-1: Questions about DHCP and IPX"
- Maybe in reply to: Jim Hebert: "FW-1: Questions about DHCP and IPX"
- Next in thread: Marcus J. Ranum: "Re: Penetration testing via shrinkware"
- Reply: Marcus J. Ranum: "Re: Penetration testing via shrinkware"
At 08:40 PM 21/09/98 -0400, Marcus J. Ranum wrote:
>Christopher Nicholls wrote:
>>Have you checked out the Common Criteria model?
>
>Yeah, it's like the orange book written by lawyers.
>
>Clearly what happened is that the orange book specs were too
>complex to implement in a timely and cost effective manner.
>So the powers that be decided to implement a security
>evaluation criteria model that would allow them to redefine
>things so that basically anything is OK as long as you
>say it's OK. Cover the problem with layers of paper. :(
That's a little simplistic Marcus. I don't think the layers of paper are so
much of a problem if the end result is something which is useful. In this
instance paperwork merely suggests qualification...
As I see it the issue, there are two aspects to this subject. Firstly, does
the firewall, OS or software stand up to thorough evaluation and to
rigorous testing? And then secondly: does it meet the specifications
established by the certificate authority (DOD or similar) - the security
target?
Surely how well these two aspects are covered and answered will give a
reasonable estimate of the software's security capability? Particularly if
the security target is tightly set.
This discussion sounds too much like we are attempting to be precise in a
very imprecise environment. From an engineering aspect it must be very
frustrating trying to exact such a precise statement of the software's
capability, but this does not necessarily imply that ITSEC or Common
Criteria evaluations are not useful. If you understand their qualifying,
then the process is very useful for the end user who is, in the final
analysis, looking for some ability to discern the "best" from the bunch.
The critical element in such evaluation is the security target. If this is
not strong enough then you are right - it's a waste of time and paper...
but if it is set high enough then it is more useful.
Currently, how else are we going to answer the question: " Which
firewall/OS/ID is the best/most secure for my organisation?"...
Regards
Christopher
----------------------------------------------------------------------
Christopher A. Nicholls
----------------------------------------------------------------------
Softway Pty Ltd ACN: 002 726 641
Canberra Branch Office: Suite 1.3, Dickson Park Professional Centre
151 Cowper Street, Dickson ACT 2602
PO Box 923, Dickson ACT 2602
Ph: +61 2 6257 0666
Fax: +61 2 6257 0665 E-mail: chrisnsoftway.com.au
Mob: 0411 454 755 WWW: http://www.softway.com.au
---------------------------------------------------------------------------
- Next message: Aaron D. Turner: "Re: FW-1: Questions about DHCP and IPX"
- Previous message: arkeltex.ru: "Re: FW-1: Questions about DHCP and IPX"
- Maybe in reply to: Jim Hebert: "FW-1: Questions about DHCP and IPX"
- Next in thread: Marcus J. Ranum: "Re: Penetration testing via shrinkware"
- Reply: Marcus J. Ranum: "Re: Penetration testing via shrinkware"
This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:11:47 CDT