Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Firewalls - ITSEC Rating?

From: Michael.Owen () net-tel co uk
Date: Mon, 14 Feb 2000 14:46:00 +0000
The value of ITSEC is simply marketing from the vendor's perspective. 
Having your firewall ITSEC certified opens doors for sales, since it 
is a CYA situation for the buyer.

ITSEC is really quite pitiful. For example FW-1 was evaluated and 
passed E-3, but the GUI was not included with the target.  So I guess 
in order to use FW-1 as evaluated the GUI should not be used.


Well, the truth of the matter is more along the lines of "ITSEC evaluation will evaluate your product based on what you 
claim." 

As a result of this, NT, for example, managed to become E3 certified, but only with functionality from the old C2 DoD 
rating, and a network "assumed" to be secure.

In contrast, Trusted Solaris was evaluated to the same level (E3), but with the functionality of a B1 evaluation, and 
without a network "assumed" to be secure. 

Two evaluations to the same levels of assuredness, but two very different sets of claims. This is why you have to know 
what Security Targets were set by vendors when they went into evaluation - they can be very useful with a company 
making strong security targets. In other cases, unfortunately, they can be little more than PR.

Michael Owen

----
Michael Owen
IT Security Engineer
NET-TEL Computer Systems Ltd
Michael.Owen () net-tel co uk
Previous By Date Next
Previous By Thread Next

Current thread: