Re: MISSI X31 results

[Frank Willoughby <frankw () in net>]

At 04:16 PM 10/3/97 -0700, Bill Stout wrote:

Personally, I think this belongs on the other firewalls mailing list,
or off-line, but as long as the questions were asked...

> The NSAs' Missi X31 web site ( http://missi.ie.gov/ )lists reports for V-One
> Smartwall, SCC Sidewinder, and the TIS Gauntlet.  The reports include simple
> 'validated/not validated/not tested' checklists, and are not a certification.

I couldn't get the web site you mentioned to work for me.
I usually use the following site:

        http://mitten.ie.org/



8< [snip]

> I've been
> told the results are 'classified', others in the X31 group say they are
> 'politically negotiating' through the state department with the company for
> permission to release the report (whatever for?).  

I don't know about the classified part, however, the state department 
part makes sense to me.  Washington, DC is political.  No matter how 
you slice it, implementing a firewall from Israel (or any other country)
throughout US Gov't agencies has political ramifications.

One of the reasons why is that implementing a foreign product within 
the United States government agencies may imply (rightly or wrongly), 
or be perceived to imply, that the United States supports that country's 
internal & foreign policies.  This is a completely separate issue that 
has absolutely *nothing* to do with the product's technical merits or
vulnerabilities.

Also, there have been some recent tensions between the US & Israel in
recent history.  For the reasons above, these tensions may have a direct 
bearing on approving or rejecting a product for use in US Gov't agencies.  
To wit:

o Israel was caught spying on the US several years ago.  IMO, friends 
   that spy on each other aren't very good friends.
o Last week, Israel refused to extradite a murder suspect for a killing
   in the DC area (Maryland, I believe).  I've been on the road the last
   couple of days and don't know if this ever got resolved.
o Israel's own internal affairs regarding the Palestinian issues haven't
   been exactly handled with great finesse since the change of power 
   after the assassination.  Also, Israel's backpedaling of some of its 
   prior commitments to the peace process, (which the US helped mitigate) 
   is going over like a lead balloon in Washington.  In some circles, this 
   is seen as provocative.

Granted these are foreign policy issues, but they *do* have an impact 
on whether the US Gov't buys the product on a large scale for the reasons
mentioned above.


------------------------------------------------------------------------
[START_OF_TANGENT]

[The following paragraphs are intended to illustrate the point made   ]
[in the last paragraph.  Please DO NOT send any replies to me or the  ]
[list about them.  I won't respond to them, and Marcus would probably,]
[and hopefully, delete them before they got to the list.              ]
 
A hypothetical situation.  Suppose the product initially tested OK,
and the product was implemented on a large scale.  Also, suppose that 
a year or two later that after the gov't bought a fairly substantial 
number of the products, a major vulnerability or major problem with 
the product were discovered *and* the vendor did not want correct the 
problem to the gov't's satisfaction.  Consequently, the US gov't might 
consider the product to be defective and mandate that the product be 
taken off of the list of "approved" products and the products replaced.
The vendor, seeing its profits going up in a puff of smoke, may wish
to exert their influence on their gov't who in turn would try to exert
pressure on Washington, DC to reinstate the defective product - without
correcting the deficiencies.  Neither side budges and political tensions 
mount.

Another point.  Suppose that our gov't (heaven forbid) actually manages 
to pass a law requiring GAK (or reasonable facsimile thereof), but the 
vendor doesn't want to implement it.  The US Gov't would be setting a 
very bad example (double-standard) if it purchased foreign products on 
a large scale which don't adhere to its own laws.

[END_OF_TANGENT]
-------------------------------------------------------------------------


Back to reality.  Personally, I think that checking with the State & 
Commerce departments would be a prudent thing to do - particularly 
given the current political climate of both countries and also taking 
into account that the product implements crypto for VPNs.


> The X31 group refuses to
> discuss any content of the report or test results, which is out of character.

I wouldn't consider it out of character for them not to talk about the
report with external entities until the report was actually finished.

A report which is released before all of the results have been checked,
re-checked, and appropriately word-smithed could have significant 
ramifications for the parties involved.  The author (person or agency) 
of the document could be held liable, someone could get fired (author or
vendor), or multi-million dollar contracts could be lost based on a
misunderstanding or misinterpretation of the findings. 

Also, it makes good business & security sense to review a document 
before distributing it.  I also would expect that the X31 group would 
submit a draft version of the report to an internal peer review before 
it is published.  I prefer not to hand out draft documents and I would 
suspect that this is also the case with the X31 group.  

It could also be that the testing was finished a couple of weeks ago 
and that the firewall evaluation report isn't finished yet.  Producing 
a *comprehensive* firewall evaluation test report generally takes weeks 
to write.  (Been there, done that).  Given that their reports can be 
@100 pages, *and* that their reports will be read as an official opinion 
*and* be read by firewall experts around the world, I'm not surprised 
that it is taking as long as it is.

On an upbeat note, from what I have seen so far, I think that they do 
an excellent job in producing their reports.  Good content, IMO.  

Best Regards,


Frank
The opinions of the author of this mail may not necessarily be 
representative of the opinions of Fortifed Networks, Inc.

Fortified Networks, Inc. - http://www.fortified.com/
Expert (vendor-neutral) Computer and Network Security Consulting
Phone: (317) 573-0800     Fax: (317) 573-0817