Firewall Wizards mailing list archives
Re: MISSI X31 results
From: Frank Willoughby <frankw () in net>
Date: Mon, 06 Oct 1997 12:47:52 -0500
At 04:16 PM 10/3/97 -0700, Bill Stout wrote: Personally, I think this belongs on the other firewalls mailing list, or off-line, but as long as the questions were asked...
The NSAs' Missi X31 web site ( http://missi.ie.gov/ )lists reports for V-One Smartwall, SCC Sidewinder, and the TIS Gauntlet. The reports include simple 'validated/not validated/not tested' checklists, and are not a certification.
I couldn't get the web site you mentioned to work for me. I usually use the following site: http://mitten.ie.org/ 8< [snip]
I've been told the results are 'classified', others in the X31 group say they are 'politically negotiating' through the state department with the company for permission to release the report (whatever for?).
I don't know about the classified part, however, the state department part makes sense to me. Washington, DC is political. No matter how you slice it, implementing a firewall from Israel (or any other country) throughout US Gov't agencies has political ramifications. One of the reasons why is that implementing a foreign product within the United States government agencies may imply (rightly or wrongly), or be perceived to imply, that the United States supports that country's internal & foreign policies. This is a completely separate issue that has absolutely *nothing* to do with the product's technical merits or vulnerabilities. Also, there have been some recent tensions between the US & Israel in recent history. For the reasons above, these tensions may have a direct bearing on approving or rejecting a product for use in US Gov't agencies. To wit: o Israel was caught spying on the US several years ago. IMO, friends that spy on each other aren't very good friends. o Last week, Israel refused to extradite a murder suspect for a killing in the DC area (Maryland, I believe). I've been on the road the last couple of days and don't know if this ever got resolved. o Israel's own internal affairs regarding the Palestinian issues haven't been exactly handled with great finesse since the change of power after the assassination. Also, Israel's backpedaling of some of its prior commitments to the peace process, (which the US helped mitigate) is going over like a lead balloon in Washington. In some circles, this is seen as provocative. Granted these are foreign policy issues, but they *do* have an impact on whether the US Gov't buys the product on a large scale for the reasons mentioned above. ------------------------------------------------------------------------ [START_OF_TANGENT] [The following paragraphs are intended to illustrate the point made ] [in the last paragraph. Please DO NOT send any replies to me or the ] [list about them. I won't respond to them, and Marcus would probably,] [and hopefully, delete them before they got to the list. ] A hypothetical situation. Suppose the product initially tested OK, and the product was implemented on a large scale. Also, suppose that a year or two later that after the gov't bought a fairly substantial number of the products, a major vulnerability or major problem with the product were discovered *and* the vendor did not want correct the problem to the gov't's satisfaction. Consequently, the US gov't might consider the product to be defective and mandate that the product be taken off of the list of "approved" products and the products replaced. The vendor, seeing its profits going up in a puff of smoke, may wish to exert their influence on their gov't who in turn would try to exert pressure on Washington, DC to reinstate the defective product - without correcting the deficiencies. Neither side budges and political tensions mount. Another point. Suppose that our gov't (heaven forbid) actually manages to pass a law requiring GAK (or reasonable facsimile thereof), but the vendor doesn't want to implement it. The US Gov't would be setting a very bad example (double-standard) if it purchased foreign products on a large scale which don't adhere to its own laws. [END_OF_TANGENT] ------------------------------------------------------------------------- Back to reality. Personally, I think that checking with the State & Commerce departments would be a prudent thing to do - particularly given the current political climate of both countries and also taking into account that the product implements crypto for VPNs.
The X31 group refuses to discuss any content of the report or test results, which is out of character.
I wouldn't consider it out of character for them not to talk about the report with external entities until the report was actually finished. A report which is released before all of the results have been checked, re-checked, and appropriately word-smithed could have significant ramifications for the parties involved. The author (person or agency) of the document could be held liable, someone could get fired (author or vendor), or multi-million dollar contracts could be lost based on a misunderstanding or misinterpretation of the findings. Also, it makes good business & security sense to review a document before distributing it. I also would expect that the X31 group would submit a draft version of the report to an internal peer review before it is published. I prefer not to hand out draft documents and I would suspect that this is also the case with the X31 group. It could also be that the testing was finished a couple of weeks ago and that the firewall evaluation report isn't finished yet. Producing a *comprehensive* firewall evaluation test report generally takes weeks to write. (Been there, done that). Given that their reports can be @100 pages, *and* that their reports will be read as an official opinion *and* be read by firewall experts around the world, I'm not surprised that it is taking as long as it is. On an upbeat note, from what I have seen so far, I think that they do an excellent job in producing their reports. Good content, IMO. Best Regards, Frank The opinions of the author of this mail may not necessarily be representative of the opinions of Fortifed Networks, Inc. Fortified Networks, Inc. - http://www.fortified.com/ Expert (vendor-neutral) Computer and Network Security Consulting Phone: (317) 573-0800 Fax: (317) 573-0817
Current thread:
- MISSI X31 results Bill Stout (Oct 04)
- Re: MISSI X31 results Frank Willoughby (Oct 06)
- Re: MISSI X31 results Alfred Huger (Oct 06)
- Message not available
- Re: MISSI X31 results Frederick M Avolio (Oct 07)
- Re: MISSI X31 results Alfred Huger (Oct 09)
- Re: MISSI X31 results Frank Willoughby (Oct 06)
- Re: MISSI X31 results Rick Smith (Oct 09)
- <Possible follow-ups>
- Re: MISSI X31 results Bill Stout (Oct 06)
- Re: MISSI X31 results Bill Stout (Oct 07)
- Re: MISSI X31 results Alfred Huger (Oct 09)