Firewall Wizards mailing list archives

Re: MISSI X31 results

From: Alfred Huger <ahuger () silence secnet com>
Date: Wed, 8 Oct 1997 10:06:12 -0600 (MDT)


On Tue, 7 Oct 1997, Frederick M Avolio wrote:

I have to agree with you. The work I have seen from the X31 group far
outstrips that of other Firewall testing 'authorities' I have seen. I
admit that this surprised me given that the X31 team is gov't based and I
tend to hold a dim view of such agencies and computer security.



Is this to say, for example, that you think the X31 tests mean more than
NCSA's or is worth more? They seem fairly similar,


For me at least, the testing done by the X31 group is worth more than the
testing done by the NCSA. For a number of reasons, the primary being that
I can see precisely what was done to test the firewall. From reading the
NCSA literature I see their testing methodoligy is indeed similar.
However, what I read were outlines of testing semantics. What I saw in the
MISSI reports were very detailed reports of their procedures. 

I cannot seem to find the actual reports for each firewall tested by the
NCSA, yet I can see the entire procedure for each firewall with the X31
group. This allows me to see the shortcomings of a firewall as well as the
strong points. I prefer this over a carte blanche stamp of approval from
the NCSA.

except that NCSA has
provisions for routine and on-going testing (so that the test results
aren't 18 months old, for example).


I put very little weight behind this. I have seen current production
firewalls with problems the NCSA should have found. When I say current, I
mean within the last few months. I have recently seen application level
firewalls vulnerable to both SYN flooding and TCP sequence prediction. 
Beyond this, I have seen router based firewalls which seem to improperly
block source routed packets as well as filtering devices which are trivial
to knock over (although they do FAIL CLOSE). *All* of these products were
NCSA certified. All of these problems should have been easy to find,
provided you were not using canned security checks. These particular flaws
needed some envelope pushing to be discovered, which IMO should have been
done by the NCSA.


/****************************************************************************
Alfred Huger                                    http://www.secnet.com/ballista
Project Director                                ahuger () secnet com
Secure Networks Inc. (SNI)
*****************************************************************************/

Current thread:

MISSI X31 results Bill Stout (Oct 04)
- Re: MISSI X31 results Frank Willoughby (Oct 06)
  - Re: MISSI X31 results Alfred Huger (Oct 06)
  - Message not available
    - Re: MISSI X31 results Frederick M Avolio (Oct 07)
    - Re: MISSI X31 results Alfred Huger (Oct 09)
- Re: MISSI X31 results Rick Smith (Oct 09)
- <Possible follow-ups>
- Re: MISSI X31 results Bill Stout (Oct 06)
- Re: MISSI X31 results Bill Stout (Oct 07)
  - Re: MISSI X31 results Alfred Huger (Oct 09)