VESARiA Network Security Specialists
About Vesaria Services Consulting Partners Research Customers Contact Us

Firewall Testing



Should we have an authority that "certifies" firewalls?

Can you standardize something so flexible?

Firewalls right now are a highly competitive market place. Vendors and their sales teams are constantly asked to differentiate their products against those of their competition, and the pressure is intense. The end result is that things which are very similar are touted as very different, and some types of technologies are cast as inadequate while others are positioned as superior. It's difficult to sort out the hype from the substance.

Can any single authority sort out the hype and define what is a "good" firewall? That's what certification implies, or, more precisely, that's what firewall buyers will assume certification implies. The real problem is that a "good" firewall for any given purpose depends a lot on the customer's needs, security requirements, and budget. For an authority to specify evaluation criteria for good firewalls, we'd all have to be using them for the same purpose, and they'd all have to have roughly the same properties.

The DOD approach: Orange Book, etc.

In the arena of government secure computing, the Orange Book is a guideline for the desirable properties of computer systems for handling classified or secret material. The Orange Book model is based in a 1960-1970's mind-set wherein many users share a mainframe, attached to it via hard-wired terminals (some of our younger readers may have never worked on such things, but trust me, they did exist once). The security goal of these systems was to keep one user from reading another user's data on the same machine.

The Orange Book provides a very rigid requirements document, specifying the mandatory features systems had to have at a given "level" of security. What's interesting about the Orange Book approach is that it implicitly contains a notion of what the "best possible" security is (A1) and it completely ignores what a user might want to do with the system. It is for this reason that the Orange Book succeeds and fails. It is possible for the Orange Book evaluation approach to work because it has a limited set of objectives (a very comprehensive and restrictive laundry list) as well as a captive audience (DOD users and contractors). The question of whether or not the systems are useable, useful, and deployable has been loudly answered by the market and the non-captive user community.

An Orange Book for Firewalls?

Not all firewalls are the same; many have very different design goals and objectives. Some, such as router-based firewalls, are designed for cost, speed and flexibility. Properly configured commercial routers, for some applications, provide excellent security. They might not be adequate for other customer applications, such as ones requiring advanced audit trail, traffic screening, or a more restrictive access policy. Indeed, for some applications, a correctly configured Windows-based SMTP gateway (e.g., a Cc:Mail SMTP server) might provide all the firewall functionality a site needs, as well as adequate security.

The problem then is that if an Orange Book for firewalls is developed, it will either be so general as to be nearly useless, or it will be so specific as to be a marketing club that vendors seek to manipulate to hold over eachother's heads. The prospect of vendors lobbying a hypothetical certification authority to require functionality that gives them a market edge is not only disturbing, it's also highly likely. The current standards arena ("Arena" is the right word to use here!) is now a highly-charged battlefield in which vendors are actively lobbying standards makers to manipulate present and future standards to their advantage. It would be a shame to see such a thing happen with firewalls, but standardization of what is "good" in firewalls will make this inevitable.

More than one certification authority

It is my belief that if there is an attempt to establish a certification authority for firewalls, that we will wind up with several. The vendors who are out lobbied on the first certification authority's laundry list will band together and create their own. Ad nauseam. So, we'll either see one certification authority in which the laundry list is so vague as to be almost useless, or we'll see competing certification authorities, none of which have any integrity except to their constituent vendors.

Vesaria, LLC

Ranum On Firewall Testing
Table of Contents

Previous Section: Abstract

Next Section: What would "certification" mean in a firewall?

Find out more about VESARiA Firewall Testing.

© 2000 - 2018 Vesaria Network Security Specialists        
   About Vesaria   |   Legal   |   Privacy   |   Contact