Firewall Wizards mailing list archives

Re: Penetration testing via shrinkware

From: "Marcus J. Ranum" <mjr () nfr net>
Date: Wed, 23 Sep 1998 11:55:02 -0400

Christopher Nicholls wrote:

Currently, how else are we going to answer the question: " Which
firewall/OS/ID is the best/most secure for my organisation?"...


My usual answer is:
        "Pffff. They're all the same, modulo details and marketing.
        The question isn't the implementation of the firewall, it's
        the policy that the firewall's admin installs in it. That's
        where the vulnerabilities creep in. You can have the 'most
        secure' firewall on the planet and some yutz will let a
        connection in on some service because they don't know of
        any flaws in it."

For those who haven't looked at it, the common criteria is a
rule-base for building specifications of the security properties
of security systems. In other words, it lets you write a standard
definition of what a firewall should do. Once you've done that
you can apply that definition to specific solutions. This all
sounds great in theory, but:
        1) it's prone to vendor lobbying - if you can tailor the
        spec then you can target the spec
        2) it's prone to wishful thinking - if you know the product
        you want to use, it's easy to tailor the spec so the product
        meets it
        3) it uses a completely synthetic language. therefore it
        is not human readable. in order to understand the spec
        you have to be a common criteria maven -- none of the
        vendors I know of (myself included!) will take the time
        to decipher it if they can possibly avoid it by just
        saying "we're under evaluation" like they did with the
        orange book stuff

I believe that the common criteria became the sheltering place
for the orange book language lawyers who were out of a job
when the orange book collapsed. The common criteria are the
same kind of nonsense, only writ larger, and more complex.

mjr.
--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr

Current thread:

Re: Penetration testing via shrinkware, (continued)
- - Re: Penetration testing via shrinkware Crispin Cowan (Sep 20)
    - Re: Penetration testing via shrinkware Marcus J. Ranum (Sep 20)
    - Re: Penetration testing via shrinkware Joseph S. D. Yao (Sep 21)
    - Re: Penetration testing via shrinkware tqbf (Sep 21)
- Re: Penetration testing via shrinkware John McDermott (Sep 20)
  - Re: Penetration testing via shrinkware Paul D. Robertson (Sep 20)
  - Re: Penetration testing via shrinkware Marcus J. Ranum (Sep 20)
    - Re: Penetration testing via shrinkware Christopher Nicholls (Sep 21)
    - Re: Penetration testing via shrinkware Marcus J. Ranum (Sep 21)
    - Re: Penetration testing via shrinkware Christopher Nicholls (Sep 23)
    - Re: Penetration testing via shrinkware Marcus J. Ranum (Sep 23)
    - Re: Penetration testing via shrinkware Ted Doty (Sep 24)
    - Re: Penetration testing via shrinkware James Goldston (Sep 21)
    - Re: Penetration testing via shrinkware Frederick M Avolio (Sep 21)
    - encrypting modem arjo (Sep 22)
    - Re: encrypting modem Leonard Miyata (Sep 23)
    - Re: encrypting modem Michael Barkett (Sep 23)
    - Re: encrypting modem iCefoX (Sep 23)
- Re: Penetration testing via shrinkware David Kennedy CISSP (Sep 21)
- Re: Penetration testing via shrinkware John Grillo (Sep 22)
- Re[2]: Penetration testing via shrinkware Richard Christie (Sep 22)

(Thread continues...)