VESARiA Network Security Specialists
About Vesaria Services Consulting Partners Research Customers Contact Us

Firewall Testing



Appendix A: The Orange Book on Testing   Life-Cycle Assurance

  Security Testing

                     The security mechanisms of the ADP system shall be tested
                     and found to work as claimed in the system documentation. 
                     A team of individuals who thoroughly understand the
                     specific implementation of the TCB shall subject its
                     design documentation, source code, and object code to
                     thorough analysis and testing.  Their objectives shall be:
                     to uncover all design and implementation flaws that would
                     permit a subject external to the TCB to read, change, or
                     delete data normally denied under the mandatory or
                     discretionary security policy enforced by the TCB; as well
                     as to assure that no subject (without authorization to do
                     so) is able to cause the TCB to enter a state such that it
                     is unable to respond to communications initiated by other
                     users.  The TCB shall be found relatively resistant to
                     penetration.  All discovered flaws shall be corrected and
                     the TCB retested to demonstrate that they have been
                     eliminated and that new flaws have not been introduced.
                     Testing shall demonstrate that the TCB implementation is
                     consistent with the descriptive top-level specification.
                     (See the Security Testing Guidelines.)

  Design Specification and Verification

                     A formal model of the security policy supported by the
                     TCB shall be maintained over the life cycle of the ADP
                     system that is proven consistent with its axioms.  A
                     descriptive top-level specification (DTLS) of the TCB
                     shall be maintained that completely and accurately
                     describes the TCB in terms of exceptions, error messages,
                     and effects.  It shall be shown to be an accurate
                     description of the TCB interface.

  Configuration Management

                     During development and maintenance of the TCB, a
                     configuration management system shall be in place that
                     maintains control of changes to the descriptive top-level
                     specification, other design data, implementation
                     documentation, source code, the running versionof the
                     object code, and test fixtures and documentation.  The
                     configuration management system shall assure a consistent
                     mapping among all documentation and code associated with 
                     the current version of the TCB.  Tools shall be provided
                     for generation of a new version of the TCB from source
                     code.  Also available shall be tools for comparing a
                     newly generated version with the previous TCB version in
                     order to ascertain that only the intended changes have
                     been made in the code that will actually be used as the
                     new version of the TCB.

This paper, and all contents, are Copyright (C) 1995 by Marcus J. Ranum. Do not duplicate, re-publish, or reprint them without permission. Published as part of the VESARiA Security Library with permission.

Vesaria, LLC

Ranum On Firewall Testing
Table of Contents

Previous Section: Conclusions

Find out more about VESARiA Firewall Testing.

© 2000 - 2018 Vesaria Network Security Specialists        
   About Vesaria   |   Legal   |   Privacy   |   Contact