Re: Firewalls - ITSEC Rating?

[Rick Smith <rick_smith () securecomputing com>]

At 03:42 AM 02/01/2000 -0800, Craig Martin wrote:

> Could someone possibly explain the difference between
> a Firewall that is ITSEC rated and a F/W that is
> not?...Am I correct in saying that Firewall-1 for
> example is not ITSEC rated?...Seems strange.

The substantive difference is whether or not the vendor paid money to an
evaluation lab to do the evaluation, and the vendor had the patience and
cash to see the thing through.

The ITSEC evaluation says that the product met the requirements documented
in its "Security Target" document.

Firewall-1 has a version with an ITSEC rating, though I'm told this is not
their standard, off-the-shelf product. The official party line in the
security evaluations and ratings business is that the "Common Criteria" is
supposed to replace ITSEC. The two are very similar, but the Common
Criteria is recognized in multiple countries while ITSEC ratings are only
officially recognized in the country that issued the rating. Firewall-1
also has a Common Criteria rating, but I'd check to see if it's for their
standard product or not. Several other firewalls also have Common Criteria
ratings.

Rick.
smith () securecomputing com