Formal evaluation just means that the features judged relevant to the
evaluation can be minimally verified. On the flip side, there's David
Litchfield's observation in the introduction to The Oracle Hacker's
Handbook: "The Oracle RDBMS was evaluated under Common Criteria to
EAL4... However, the first few versions of Oracle that gained EAL4 had
a buffer overflow in the authentication mechanism." He goes on to that
standards are necessary to some extent but not fully indicative.
You'll find summary arguments and starting links off the Common
Criteria's Wikipedia entry. Given such limitations, perhaps you might
propose a more open evaluation and make code access for audit,
including by escrow access for an established third-party authority,
as a major criteria?
Am 1 Feb 2010 um 23:06 schrieb Keith:
I've used OpenBSD & PF for a number of years without issue and am
now in the position that I want to create a dmz between the Internet
and my organisations WAN. Our security people are asking if the
firewall that we use is accreditated by ITSEC and I am pretty sure
it isn't but it turns out that our security people will be happy is
the firewall is accredited for use by another government !
I am very happy with my PF firewalls and their reliability and don't
want to be forced into purchasing some cisco / forenet comercial
firewall that I've never used before so am desperate to find some
details of any foreign governments that are using OpenBSD / PF as a
firewall or any details of any certification of the PF firewall.
Can anyone help me out ?
Thanks
Keith
__________ Information from ESET NOD32 Antivirus, version of virus
signature database 4825 (20100201) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
