Re: MISSI X31 results

[Rick Smith <rsmith () visi com>]

I haven't talked to anyone at X about the Firewall-1 report, but I can shed
some light on the process:

1) They get a copy of said firewall.

2) They examine all available descriptions of the firewall's capabilities
and produce a list of "Vendor Claims." Individual claims may or may not
correspond to a feature you desperately want to know about. Capabilities
won't be tested unless the test team sees the capabilities as "Vendor
Claims" and has time to test them. They avoid using proprietary information
like internal design documents -- everything is based on product
documentation and marketing descriptions.

3) They test every Vendor Claim they have time to, plus they run whatever
penetration tests they find interesting.

4) They generate a draft report of their results.

5) They submit it to the vendor for review. They will *not* post the
results until the vendor and X agree on the contents. This was not a fast
thing with the Sidewinder report simply because the thing was so long. We
had 3 or 4 engineers read it over and check everything before the final
thing went out.

The Firewall 1 report might be snagged on Step 5, and it could be for any
number of reasons, be they technical, political, or bureaucratic. The
latter is especially possible if the state department is involved in the
review as well as NSA/X and the vendor.

Rick.
smith () securecomputing com