Input requested for second edition of "Firewalls and Internet Security"

Mon Oct 21 08:43:43 UTC 2002

On Mon, 21 Oct 2002 Valdis.Kletnieks at vt.edu wrote:
> Or stated differently - let's say you're a consultant.  Which can you sell
> to the customer more easily - a firewall, or telling them that somebody needs
> to explain to the VP that 'viceprez' is a Bad Password?

That may partially explain why people sell it or even why they buy it.

On the other hand, if we are supposed to be documenting best practices,
why document bad practices just because its easier for vendors or
consultants to sell?  www.google.com seems to find a lot of repetition
of the same firewall lore, with only a limited amount of critical
analysis.

> > Is the Orange Book really dead?
>
> It's dead as far as providing an actual useful spec, as far as I can tell.
> It had a number of problems - an actual rating was only for *ONE* specific
> configuration, and changing it (even by upgrading memory or adding disks)
> would technically invalidate it.  The whole RAMP thing to maintain a rating
> across a software upgrade was a true horrorshow paperwork-wise, and it
> didn't addresss network connectivity (although to be fair, there were other
> Rainbow Books that talked about RAMP and network stuff).  It's still useful
> as a framework reference, mostly due to its ubiquity.

As a rating, evaluation, certification regime the rainbow series, common
criteria, etc have their issues.  As handbooks or textbooks, the rainbow
books were useful to a new practioner in the field.

My concern is O/S (Orange Book) and application security seems to be
almost completely dead in the computer security field.  Network security,
IDS, firewalls, etc is where most of the action is.  But host security
is still were the buck starts and stops.