RE: Firewalls - ITSEC Rating?

["Lemon, Henry L." <LemonHL () aristechchem com>]

What is Common Criteria EAL4 Certification and should we care?  How does it
fit in with ITSEC and ICSA?  Does any of this matter really?

Henry Lemon             mailto:LemonHL () aristechchem com
Aristech Chemical Corporation c=US;a=MCI;p=Aristech;s=Lemon;g=Henry
phone:  412-433-7835
fax:    412-467-2001  



-----Original Message-----
From: Marcus J. Ranum [mailto:mjr () nfr net]
Sent: Thursday, February 03, 2000 11:31 AM
To: Rick Smith; Craig Martin; firewall-wizards () nfr net
Subject: Re: Firewalls - ITSEC Rating?



> The ITSEC evaluation says that the product met the requirements documented
> in its "Security Target" document.

Right, if I understand correctly, it's a lot like those ISO9000
deals - you're evaluated on whether or not you actually do what
you claim to do. And, since everyone's claims can be subtly
different, in the end the evaluation is useless because a user
of the evaluated product has to re-evaluate the product to see
if the claims make sense for their purpose.

I once thought about trying to get a 10baseT hub ITSEC evaluated
as a firewall (albeit a very permissive one) but the mountains
of paperwork and the huge amount of time and money necessary
are daunting.

I'm sure that many on this list will be shocked to hear me say
this, but the ICSA firewall product certification is orders of
magnitude more valuable to real customers than ITSEC evaluation.

mjr.