Internet & Intranet Security

11.6 FIREWALL CERTIFICATION

The idea of having security properties of IT products and systems evaluated and certified by some trusted party is not new and has led to the development of various criteria catalogs, such as the Trusted Computer System Evaluation Criteria (TCSEC), also known as Orange Book in the United States, the Information Technology Security Evaluation Criteria (ITSEC) in Europe, and the Common Criteria (CC) for the international market. In theory, the same or slightly modified and enhanced versions of these catalogs could also be used to evaluate and certify firewall systems. In practice, however, there are only a few firewalls that have been evaluated and certified thus far.

Meanwhile, some companies and organizations have independently started to evaluate and certify the security properties of some commercial firewall products. For example, the ICSA Labs,^[2] a division of TruSecure Corporation,^[3] have become active in the field.^[4] In fact, the ICSA Labs host a Firewall Product Developers Consortium (FWPD) Community that has released a set of firewall product certification criteria (currently in version 3.0a). In short, the criteria define functionality and security requirements for firewall products:

• The functionality requirements specify TCP/IP protocols and services that must be provided to internal clients and external users. In particular, the protocols include Telnet, FTP, HTTP (with and without SSL support), SMTP, and DNS. In addition, the functionality requirements also address firewall management.

• Upon demonstration of its functionality, a firewall product is also subjected to a couple of tests to demonstrate protection against a standardized and evolving suite of attacks. These tests are performed with several tools, including a port scanning tool, the ISS Security Scanner, and some proprietary tools developed in-house.

There are too many firewall products that have met the ICSA Labs and FWPD criteria and that are authorized to carry the ICSA Certified logo in their marketing and other literature accordingly. Unfortunately, in a market in which almost all products are authorized to carry a specific logo, the value of this logo to differentiate products is negligible. Unfortunately, this is the current situation with the ICSA Certified logo in the firewall market.

^[2]http://www.icsalabs.com

^[3]http://www.trusecure.com

^[4]The ICSA Labs evolved from the National Computer Security Association (NCSA) that was later renamed the International Computer Security Association (ICSA).