Re: Firewalls - ITSEC Rating?

["Matthew Pemble" <mpemble () isintegration co uk>]

Folks,


ITSEC was the scheme in use in UK, Canada, Germany, France and the
Netherlands.  Evaluations carried out in one country were accepted in the
others.

In the mean-time, the US was using the Orange-Book security specs, which
were great for OS, but pretty useless for other tools or applications.

Common Criteria is meant to tie both systems together.  One of the
improvements of CC over ITSEC is the availability of the "Target of
Evaluation" or TOE. This should allow implementers to see exactly the set-up
of the tool that was evaluated, and mirror it if required.  Note that ITSEC
ratings are one lower than the equivalent CC rating (ITSEC E3 is CC EAL4),
to give CC the equivalent of the Orange Book "D" grade (Duff?)

Evaluated firewalls include:

BlackHole 3.01E2, Checkpoint FW-1 4.0, Cyberguard 4.1 (NT & Unix), Gauntlet
NT 3.01, VCS 3.0.

PIX and Borderware 6.1are in evaluation.

For the full list (as of Oct 99 - includes other countries evaluated
products) - http://www.itsec.gov.uk/docs/pdfs/guides/products.pdf (about
700k)

An online list, which only reflects UK evaluations, see
http://www.itsec.gov.uk/products

Two notes:

1.      Don't expect to see either AV product or vulnerability scanners in here
any time soon.  The fluid nature of these products would mean that they
would have to be continually and expensively re-evaluated.  CESG are trying
to find a way around this - there may be a "CC Approved" category or
something similar starting up.  This may be just UK internal 'though.

2.      I don't work for a firewall vendor or for the UK government.

Matthew Pemble, Senior Consultant, IS Integration,
Preston Technology Management Centre, Marsh Lane, PRESTON, Lancashire, PR1
8UD

Tel: +44 (0)1772 885850  Fax: +44 (0)1772 558881  Mob: +44 (0) 7050 128620

Mailto:mpemble () isintegration co uk  Web: http://www.isintegration.co.uk

This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify your system manager
or IS Integration Limited on +44 (0) 1772 885850


Any Views expressed in this e-mail message are those of the individual
sending the message, except where the sender specifically states them to
be the views of IS Integration Limited.



-----Original Message-----
From: owner-firewall-wizards () lists nfr net
[mailto:owner-firewall-wizards () lists nfr net]On Behalf Of Rick Smith
Sent: 02 February 2000 15:10
To: Craig Martin; firewall-wizards () nfr net
Subject: Re: Firewalls - ITSEC Rating?


At 03:42 AM 02/01/2000 -0800, Craig Martin wrote:

> Could someone possibly explain the difference between
> a Firewall that is ITSEC rated and a F/W that is
> not?...Am I correct in saying that Firewall-1 for
> example is not ITSEC rated?...Seems strange.

The substantive difference is whether or not the vendor paid money to an
evaluation lab to do the evaluation, and the vendor had the patience and
cash to see the thing through.

The ITSEC evaluation says that the product met the requirements documented
in its "Security Target" document.

Firewall-1 has a version with an ITSEC rating, though I'm told this is not
their standard, off-the-shelf product. The official party line in the
security evaluations and ratings business is that the "Common Criteria" is
supposed to replace ITSEC. The two are very similar, but the Common
Criteria is recognized in multiple countries while ITSEC ratings are only
officially recognized in the country that issued the rating. Firewall-1
also has a Common Criteria rating, but I'd check to see if it's for their
standard product or not. Several other firewalls also have Common Criteria
ratings.

Rick.
smith () securecomputing com


Matthew Pemble, Senior Consultant, IS Integration,
Preston Technology Management Centre, Marsh Lane, PRESTON, Lancashire, PR1
8UD

Tel: +44 (0)1772 885850  Fax: +44 (0)1772 558881  Mob: +44 (0) 7050 128620

Mailto:mpemble () isintegration co uk  Web: http://www.isintegration.co.uk

This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify your system manager
or IS Integration Limited on +44 (0) 1772 885850


Any Views expressed in this e-mail message are those of the individual
sending the message, except where the sender specifically states them to
be the views of IS Integration Limited.