Folks, ITSEC was the scheme in use in UK, Canada, Germany, France and the Netherlands. Evaluations carried out in one country were accepted in the others. In the mean-time, the US was using the Orange-Book security specs, which were great for OS, but pretty useless for other tools or applications. Common Criteria is meant to tie both systems together. One of the improvements of CC over ITSEC is the availability of the "Target of Evaluation" or TOE. This should allow implementers to see exactly the set-up of the tool that was evaluated, and mirror it if required. Note that ITSEC ratings are one lower than the equivalent CC rating (ITSEC E3 is CC EAL4), to give CC the equivalent of the Orange Book "D" grade (Duff?) Evaluated firewalls include: BlackHole 3.01E2, Checkpoint FW-1 4.0, Cyberguard 4.1 (NT & Unix), Gauntlet NT 3.01, VCS 3.0. PIX and Borderware 6.1are in evaluation. For the full list (as of Oct 99 - includes other countries evaluated products) - http://www.itsec.gov.uk/docs/pdfs/guides/products.pdf (about 700k) An online list, which only reflects UK evaluations, see http://www.itsec.gov.uk/products Two notes: 1. Don't expect to see either AV product or vulnerability scanners in here any time soon. The fluid nature of these products would mean that they would have to be continually and expensively re-evaluated. CESG are trying to find a way around this - there may be a "CC Approved" category or something similar starting up. This may be just UK internal 'though. 2. I don't work for a firewall vendor or for the UK government. Matthew Pemble, Senior Consultant, IS Integration, Preston Technology Management Centre, Marsh Lane, PRESTON, Lancashire, PR1 8UD Tel: +44 (0)1772 885850 Fax: +44 (0)1772 558881 Mob: +44 (0) 7050 128620 Mailto:mpembleat_private Web: http://www.isintegration.co.uk This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify your system manager or IS Integration Limited on +44 (0) 1772 885850 Any Views expressed in this e-mail message are those of the individual sending the message, except where the sender specifically states them to be the views of IS Integration Limited. -----Original Message----- From: owner-firewall-wizardsat_private [mailto:owner-firewall-wizardsat_private]On Behalf Of Rick Smith Sent: 02 February 2000 15:10 To: Craig Martin; firewall-wizardsat_private Subject: Re: Firewalls - ITSEC Rating? At 03:42 AM 02/01/2000 -0800, Craig Martin wrote: >Could someone possibly explain the difference between >a Firewall that is ITSEC rated and a F/W that is >not?...Am I correct in saying that Firewall-1 for >example is not ITSEC rated?...Seems strange. The substantive difference is whether or not the vendor paid money to an evaluation lab to do the evaluation, and the vendor had the patience and cash to see the thing through. The ITSEC evaluation says that the product met the requirements documented in its "Security Target" document. Firewall-1 has a version with an ITSEC rating, though I'm told this is not their standard, off-the-shelf product. The official party line in the security evaluations and ratings business is that the "Common Criteria" is supposed to replace ITSEC. The two are very similar, but the Common Criteria is recognized in multiple countries while ITSEC ratings are only officially recognized in the country that issued the rating. Firewall-1 also has a Common Criteria rating, but I'd check to see if it's for their standard product or not. Several other firewalls also have Common Criteria ratings. Rick. smithat_private Matthew Pemble, Senior Consultant, IS Integration, Preston Technology Management Centre, Marsh Lane, PRESTON, Lancashire, PR1 8UD Tel: +44 (0)1772 885850 Fax: +44 (0)1772 558881 Mob: +44 (0) 7050 128620 Mailto:mpembleat_private Web: http://www.isintegration.co.uk This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify your system manager or IS Integration Limited on +44 (0) 1772 885850 Any Views expressed in this e-mail message are those of the individual sending the message, except where the sender specifically states them to be the views of IS Integration Limited.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:00:26 PDT