Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NFR Wizards> 1998

NFR Wizards Archive: Re: Penetration testing via shrinkware

Re: Penetration testing via shrinkware

Marcus J. Ranum (mjrnfr.net)
Wed, 23 Sep 1998 11:55:02 -0400

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Cummings, Jeffrey: "Norton Anti-Virus for Firewalls"
Previous message: Jason L. Snowden: "Re: FW-1: Questions about DHCP and IPX"
Maybe in reply to: Jim Hebert: "FW-1: Questions about DHCP and IPX"
Next in thread: Ted Doty: "Re: Penetration testing via shrinkware"
Reply: Ted Doty: "Re: Penetration testing via shrinkware"

Christopher Nicholls wrote:
>Currently, how else are we going to answer the question: " Which
>firewall/OS/ID is the best/most secure for my organisation?"...

My usual answer is:
        "Pffff. They're all the same, modulo details and marketing.
        The question isn't the implementation of the firewall, it's
        the policy that the firewall's admin installs in it. That's
        where the vulnerabilities creep in. You can have the 'most
        secure' firewall on the planet and some yutz will let a
        connection in on some service because they don't know of
        any flaws in it."

For those who haven't looked at it, the common criteria is a
rule-base for building specifications of the security properties
of security systems. In other words, it lets you write a standard
definition of what a firewall should do. Once you've done that
you can apply that definition to specific solutions. This all
sounds great in theory, but:
        1) it's prone to vendor lobbying - if you can tailor the
        spec then you can target the spec
        2) it's prone to wishful thinking - if you know the product
        you want to use, it's easy to tailor the spec so the product
        meets it
        3) it uses a completely synthetic language. therefore it
        is not human readable. in order to understand the spec
        you have to be a common criteria maven -- none of the
        vendors I know of (myself included!) will take the time
        to decipher it if they can possibly avoid it by just
        saying "we're under evaluation" like they did with the
        orange book stuff

I believe that the common criteria became the sheltering place
for the orange book language lawyers who were out of a job
when the orange book collapsed. The common criteria are the
same kind of nonsense, only writ larger, and more complex.

mjr.

--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr

Next message: Cummings, Jeffrey: "Norton Anti-Virus for Firewalls"
Previous message: Jason L. Snowden: "Re: FW-1: Questions about DHCP and IPX"
Maybe in reply to: Jim Hebert: "FW-1: Questions about DHCP and IPX"
Next in thread: Ted Doty: "Re: Penetration testing via shrinkware"
Reply: Ted Doty: "Re: Penetration testing via shrinkware"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:11:47 CDT