Firewall Wizards mailing list archives
Re: Penetration testing via shrinkware
From: "Marcus J. Ranum" <mjr () nfr net>
Date: Wed, 23 Sep 1998 11:55:02 -0400
Christopher Nicholls wrote:
Currently, how else are we going to answer the question: " Which firewall/OS/ID is the best/most secure for my organisation?"...
My usual answer is: "Pffff. They're all the same, modulo details and marketing. The question isn't the implementation of the firewall, it's the policy that the firewall's admin installs in it. That's where the vulnerabilities creep in. You can have the 'most secure' firewall on the planet and some yutz will let a connection in on some service because they don't know of any flaws in it." For those who haven't looked at it, the common criteria is a rule-base for building specifications of the security properties of security systems. In other words, it lets you write a standard definition of what a firewall should do. Once you've done that you can apply that definition to specific solutions. This all sounds great in theory, but: 1) it's prone to vendor lobbying - if you can tailor the spec then you can target the spec 2) it's prone to wishful thinking - if you know the product you want to use, it's easy to tailor the spec so the product meets it 3) it uses a completely synthetic language. therefore it is not human readable. in order to understand the spec you have to be a common criteria maven -- none of the vendors I know of (myself included!) will take the time to decipher it if they can possibly avoid it by just saying "we're under evaluation" like they did with the orange book stuff I believe that the common criteria became the sheltering place for the orange book language lawyers who were out of a job when the orange book collapsed. The common criteria are the same kind of nonsense, only writ larger, and more complex. mjr. -- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. work - http://www.nfr.net home - http://www.clark.net/pub/mjr
Current thread:
- Re: Penetration testing via shrinkware, (continued)
- Re: Penetration testing via shrinkware Crispin Cowan (Sep 20)
- Re: Penetration testing via shrinkware Marcus J. Ranum (Sep 20)
- Re: Penetration testing via shrinkware Joseph S. D. Yao (Sep 21)
- Re: Penetration testing via shrinkware tqbf (Sep 21)
- Re: Penetration testing via shrinkware Crispin Cowan (Sep 20)
- Re: Penetration testing via shrinkware John McDermott (Sep 20)
- Re: Penetration testing via shrinkware Paul D. Robertson (Sep 20)
- Re: Penetration testing via shrinkware Marcus J. Ranum (Sep 20)
- Re: Penetration testing via shrinkware Christopher Nicholls (Sep 21)
- Re: Penetration testing via shrinkware Marcus J. Ranum (Sep 21)
- Re: Penetration testing via shrinkware Christopher Nicholls (Sep 23)
- Re: Penetration testing via shrinkware Marcus J. Ranum (Sep 23)
- Re: Penetration testing via shrinkware Ted Doty (Sep 24)
- Re: Penetration testing via shrinkware James Goldston (Sep 21)
- Re: Penetration testing via shrinkware Frederick M Avolio (Sep 21)
- encrypting modem arjo (Sep 22)
- Re: encrypting modem Leonard Miyata (Sep 23)
- Re: encrypting modem Michael Barkett (Sep 23)
- Re: encrypting modem iCefoX (Sep 23)