> The value of ITSEC is simply marketing from the vendor's perspective. > Having your firewall ITSEC certified opens doors for sales, since it > is a CYA situation for the buyer. > > ITSEC is really quite pitiful. For example FW-1 was evaluated and > passed E-3, but the GUI was not included with the target. So I guess > in order to use FW-1 as evaluated the GUI should not be used. Well, the truth of the matter is more along the lines of "ITSEC evaluation will evaluate your product based on what you claim." As a result of this, NT, for example, managed to become E3 certified, but only with functionality from the old C2 DoD rating, and a network "assumed" to be secure. In contrast, Trusted Solaris was evaluated to the same level (E3), but with the functionality of a B1 evaluation, and without a network "assumed" to be secure. Two evaluations to the same levels of assuredness, but two very different sets of claims. This is why you have to know what Security Targets were set by vendors when they went into evaluation - they can be very useful with a company making strong security targets. In other cases, unfortunately, they can be little more than PR. Michael Owen ---- Michael Owen IT Security Engineer NET-TEL Computer Systems Ltd Michael.Owen@net-tel.co.uk
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:03:15 PDT