OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Firewalls - ITSEC Rating?
From: Tim.Wundkecamtech.com.au
Date: Fri Feb 04 2000 - 00:18:16 CST


On 3 Feb, Marcus J. Ranum wrote:
>
>>The ITSEC evaluation says that the product met the requirements documented
>>in its "Security Target" document.
>
> Right, if I understand correctly, it's a lot like those ISO9000
> deals - you're evaluated on whether or not you actually do what
> you claim to do. And, since everyone's claims can be subtly
> different, in the end the evaluation is useless because a user
> of the evaluated product has to re-evaluate the product to see
> if the claims make sense for their purpose.

Yep. If the product is not used under the same conditions that it was
evaluated under (ie. exact same version/revision, sometimes on
particular hardware, possibly with any number of other restrictions),
the evaluation essentially means nothing. So a user must determine
whether these restrictions make sense for them.

The biggest problem I see in things like firewalls (and other
fast-ish paced software/hardware) is that every version/revision must be
evaluated, which means big expenditure on the part of the developer to
maintain a rating.

> I once thought about trying to get a 10baseT hub ITSEC evaluated
> as a firewall (albeit a very permissive one) but the mountains
> of paperwork and the huge amount of time and money necessary
> are daunting.

E1 and E2 aren't too bad, although to my mind the ratings mean little
anyway. E3 and E4 start getting prohibitive, unless you're following
pretty rigorous design/documentation procedures anyway. E5 and E6 are
just plain horrendous!

> I'm sure that many on this list will be shocked to hear me say
> this, but the ICSA firewall product certification is orders of
> magnitude more valuable to real customers than ITSEC evaluation.

So far as I can tell, ITSEC and Common Criteria ratings are mainly used
by governments when buying products (I believe an ITSEC rating is
mandatory in Australia for some purchases). They can be of some use to
commercial companies, but the restrictions placed on the "secure" use
of them may be prohibitive.

Tim.

    What's the difference between roast beef and pea soup?
    Anyone can roast beef.

These are, of course, my opinions only.