This is a cryptographically signed message in MIME format. --------------ms84F04552AFC393D9BF2BA56F Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit At 08:30 AM 02/03/2000 -0500, Marcus J. Ranum wrote: >I'm sure that many on this list will be shocked to hear me say >this, but the ICSA firewall product certification is orders of >magnitude more valuable to real customers than ITSEC evaluation. My company (BorderWare Technologies Inc.) develops a firewall that is both ICSA and EAL4 certified, and based on our experience with the process, I must disagree with the above statement. ICSA certification consists primarily of "black box" testing. i.e. a set of tests is performed against the target firewall, and the results are used to determine whether it meets the criteria defined by ICSA. There are 42 firewalls listed as being certified by ICSA as of Jan 31, ranging in functionality from Cisco's IOS firewall feature set all the way to high-end firewalls. ICSA certification does not include evaluation of the vendor's internal processes or the vendor specific feature and function claims. Common Criteria certification, which is the latest incarnation of ITSEC, involves a much more rigorous and in-depth analysis of the target product. This includes design and architecture, development processes and security, software QA processes, and obviously, penetration testing. Unlike the older ITSEC certification process, the Common Criteria process involves evaluating the target product against objective security parameters for the type of product, in addition to vendor specific claims. Paul Emerson wrote: > ITSEC is really quite pitiful. For example FW-1 was evaluated and > passed E-3, but the GUI was not included with the target. So I guess > in order to use FW-1 as evaluated the GUI should not be used. This is a valid comment, and illustrates the point that customers should not blindly accept any certification without checking what is actually covered. In the case of the BorderWare Firewall Server, we have published the scope of our EAL4 certification for public review on our web site (http://www.borderware.com/certifications.html). Both the GUI and underlying secure operating system are included in our certification. i.e. the product in its normally used mode of operation on generic Intel hardware is fully certified. To go back to Marcus' observation, I would certainly agree that EAL4 certification is orders of magnitude harder and more expensive to get than ICSA; however it is possible to certify a fully functional commercial firewall, and the result does provide a significantly higher level of assurance to customers. -- John Alsop President & CEO Borderware Technologies Inc. jalsopat_private Tel: 905-804-1855 x223 Fax: 905-804-1865 --------------ms84F04552AFC393D9BF2BA56F Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIKGAYJKoZIhvcNAQcCoIIKCTCCCgUCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC B6QwggRuMIID16ADAgECAhAby6LMwsQvGlsr3/cxEkAPMA0GCSqGSIb3DQEBBAUAMIHMMRcw FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29y azFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIEJ5 IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRp dmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkMB4XDTk5MDkwNzAwMDAw MFoXDTAwMDkwNjIzNTk1OVowggESMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UE CxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9y ZXBvc2l0b3J5L1JQQSBJbmNvcnAuIGJ5IFJlZi4sTElBQi5MVEQoYyk5ODEeMBwGA1UECxMV UGVyc29uYSBOb3QgVmFsaWRhdGVkMTMwMQYDVQQLEypEaWdpdGFsIElEIENsYXNzIDEgLSBO ZXRzY2FwZSBGdWxsIFNlcnZpY2UxEzARBgNVBAMUCkpvaG4gQWxzb3AxJDAiBgkqhkiG9w0B CQEWFWphbHNvcEBib3JkZXJ3YXJlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA wOyNvqPg9i/bGi470lO6LbBRWUb+OGlWDMkjaywschyxQT+OaeZN/d5C5npHsgbV+9d6ewp0 5rBFAR73lnMyy0q8ZNL4qGDIwMglG/DXKi+yNWKu33M1FRFXlUc3whoE1Ic9D6hCnYxDHYUG hy0kyouw0NXwP0BkZKy8A+abbX8CAwEAAaOCAQYwggECMAkGA1UdEwQCMAAwgawGA1UdIASB pDCBoTCBngYLYIZIAYb4RQEHAQEwgY4wKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlz aWduLmNvbS9DUFMwYgYIKwYBBQUHAgIwVjAVFg5WZXJpU2lnbiwgSW5jLjADAgEBGj1WZXJp U2lnbidzIENQUyBpbmNvcnAuIGJ5IHJlZmVyZW5jZSBsaWFiLiBsdGQuIChjKTk3IFZlcmlT aWduMBEGCWCGSAGG+EIBAQQEAwIHgDAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLnZl cmlzaWduLmNvbS9jbGFzczEuY3JsMA0GCSqGSIb3DQEBBAUAA4GBAAjxeEfXU0lJ72qz4EQQ JU8REM61XwONuJNwYhftueOXO6/jPnNmDh2Vj3448Q10g+j2FUs1xRPVKTNUsT50j+iWyziO Sqj5mYSEiF2iPqQbMjUlnIq/S6k+B0Tii7iePU8W33Ph05dIbRdInGfoxjP3/xRl2QS+MG/M /PaW+qWIMIIDLjCCApegAwIBAgIRANJ2Lo0UDD19sqglXa/uDXUwDQYJKoZIhvcNAQECBQAw XzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz cyAxIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk4MDUxMjAw MDAwMFoXDTA4MDUxMjIzNTk1OVowgcwxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYD VQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29t L3JlcG9zaXRvcnkvUlBBIEluY29ycC4gQnkgUmVmLixMSUFCLkxURChjKTk4MUgwRgYDVQQD Ez9WZXJpU2lnbiBDbGFzcyAxIENBIEluZGl2aWR1YWwgU3Vic2NyaWJlci1QZXJzb25hIE5v dCBWYWxpZGF0ZWQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALtaRIoEFrtV/QN6ii2U TxV4NrgNSrJvnFS/vOh3Kp258Gi7ldkxQXB6gUu5SBNWLccI4YRCq8CikqtEXKpC8IIOAukv +8I7u77JJwpdtrA2QjO1blSIT4dKvxna+RXoD4e2HOPMxpqOf2okkuP84GW6p7F+78nbN2rI SsgJBuSZAgMBAAGjfDB6MBEGCWCGSAGG+EIBAQQEAwIBBjBHBgNVHSAEQDA+MDwGC2CGSAGG +EUBBwEBMC0wKwYIKwYBBQUHAgEWH3d3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9SUEEw DwYDVR0TBAgwBgEB/wIBADALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQECBQADgYEAiLg3O93a lDcAraqf4YEBcR6Sam0v9vGd08pkONwbmAwHhluFFWoPuUmFpJXxF31ntH8tLN2aQp7DPrSO quULBt7yVir6M8e+GddTTMO9yOMXtaRJQmPswqYXD11YGkk8kFxVo2UgAP0YIOVfgqaxqJLF WGrBjQM868PNBaKQrm4xggI8MIICOAIBATCB4TCBzDEXMBUGA1UEChMOVmVyaVNpZ24sIElu Yy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJp c2lnbi5jb20vcmVwb3NpdG9yeS9SUEEgSW5jb3JwLiBCeSBSZWYuLExJQUIuTFREKGMpOTgx SDBGBgNVBAMTP1ZlcmlTaWduIENsYXNzIDEgQ0EgSW5kaXZpZHVhbCBTdWJzY3JpYmVyLVBl cnNvbmEgTm90IFZhbGlkYXRlZAIQG8uizMLELxpbK9/3MRJADzAJBgUrDgMCGgUAoIGxMBgG CSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTAwMDIwNDE4Mzk1NFow IwYJKoZIhvcNAQkEMRYEFMa5ar9ZU1KxUTBhY2pKXARnmR3lMFIGCSqGSIb3DQEJDzFFMEMw CgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgFAMA0G CCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIGAKLGJqOhzUi7s7t2F531zD6QYLVh4uu+I oGBBt+NlCIpX2HEI/HxhEnsN6qMSQMJP5BjwrbPmte8NDhYPiEza6a+Gf9NstyymCkHsph81 Z1y4T2ls1BKetkh+YSTGIzBnEDFC6KmYRWmWrhcubWjU60Bua1nL/sHFCNrfwiySojQ= --------------ms84F04552AFC393D9BF2BA56F--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:00:55 PDT