Firewall Wizards mailing list archives
Re: Penetration testing via shrinkware
From: Christopher Nicholls <chrisn () softway com au>
Date: Wed, 23 Sep 1998 11:10:26 +1000
At 08:40 PM 21/09/98 -0400, Marcus J. Ranum wrote:
Christopher Nicholls wrote:Have you checked out the Common Criteria model?Yeah, it's like the orange book written by lawyers. Clearly what happened is that the orange book specs were too complex to implement in a timely and cost effective manner. So the powers that be decided to implement a security evaluation criteria model that would allow them to redefine things so that basically anything is OK as long as you say it's OK. Cover the problem with layers of paper. :(
That's a little simplistic Marcus. I don't think the layers of paper are so much of a problem if the end result is something which is useful. In this instance paperwork merely suggests qualification... As I see it the issue, there are two aspects to this subject. Firstly, does the firewall, OS or software stand up to thorough evaluation and to rigorous testing? And then secondly: does it meet the specifications established by the certificate authority (DOD or similar) - the security target? Surely how well these two aspects are covered and answered will give a reasonable estimate of the software's security capability? Particularly if the security target is tightly set. This discussion sounds too much like we are attempting to be precise in a very imprecise environment. From an engineering aspect it must be very frustrating trying to exact such a precise statement of the software's capability, but this does not necessarily imply that ITSEC or Common Criteria evaluations are not useful. If you understand their qualifying, then the process is very useful for the end user who is, in the final analysis, looking for some ability to discern the "best" from the bunch. The critical element in such evaluation is the security target. If this is not strong enough then you are right - it's a waste of time and paper... but if it is set high enough then it is more useful. Currently, how else are we going to answer the question: " Which firewall/OS/ID is the best/most secure for my organisation?"... Regards Christopher ---------------------------------------------------------------------- Christopher A. Nicholls ---------------------------------------------------------------------- Softway Pty Ltd ACN: 002 726 641 Canberra Branch Office: Suite 1.3, Dickson Park Professional Centre 151 Cowper Street, Dickson ACT 2602 PO Box 923, Dickson ACT 2602 Ph: +61 2 6257 0666 Fax: +61 2 6257 0665 E-mail: chrisn () softway com au Mob: 0411 454 755 WWW: http://www.softway.com.au ---------------------------------------------------------------------------
Current thread:
- Re: Penetration testing via shrinkware, (continued)
- Re: Penetration testing via shrinkware Adam Shostack (Sep 20)
- Re: Penetration testing via shrinkware Crispin Cowan (Sep 20)
- Re: Penetration testing via shrinkware Marcus J. Ranum (Sep 20)
- Re: Penetration testing via shrinkware Joseph S. D. Yao (Sep 21)
- Re: Penetration testing via shrinkware tqbf (Sep 21)
- Re: Penetration testing via shrinkware John McDermott (Sep 20)
- Re: Penetration testing via shrinkware Paul D. Robertson (Sep 20)
- Re: Penetration testing via shrinkware Marcus J. Ranum (Sep 20)
- Re: Penetration testing via shrinkware Christopher Nicholls (Sep 21)
- Re: Penetration testing via shrinkware Marcus J. Ranum (Sep 21)
- Re: Penetration testing via shrinkware Christopher Nicholls (Sep 23)
- Re: Penetration testing via shrinkware Marcus J. Ranum (Sep 23)
- Re: Penetration testing via shrinkware Ted Doty (Sep 24)
- Re: Penetration testing via shrinkware James Goldston (Sep 21)
- Re: Penetration testing via shrinkware Frederick M Avolio (Sep 21)
- encrypting modem arjo (Sep 22)
- Re: encrypting modem Leonard Miyata (Sep 23)
- Re: encrypting modem Michael Barkett (Sep 23)
- Re: encrypting modem iCefoX (Sep 23)