|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Input requested for second edition of "Firewalls and InternetSecurity"
On Mon, 21 Oct 2002 [email protected] wrote: > Or stated differently - let's say you're a consultant. Which can you sell > to the customer more easily - a firewall, or telling them that somebody needs > to explain to the VP that 'viceprez' is a Bad Password? That may partially explain why people sell it or even why they buy it. On the other hand, if we are supposed to be documenting best practices, why document bad practices just because its easier for vendors or consultants to sell? www.google.com seems to find a lot of repetition of the same firewall lore, with only a limited amount of critical analysis. > > Is the Orange Book really dead? > > It's dead as far as providing an actual useful spec, as far as I can tell. > It had a number of problems - an actual rating was only for *ONE* specific > configuration, and changing it (even by upgrading memory or adding disks) > would technically invalidate it. The whole RAMP thing to maintain a rating > across a software upgrade was a true horrorshow paperwork-wise, and it > didn't addresss network connectivity (although to be fair, there were other > Rainbow Books that talked about RAMP and network stuff). It's still useful > as a framework reference, mostly due to its ubiquity. As a rating, evaluation, certification regime the rainbow series, common criteria, etc have their issues. As handbooks or textbooks, the rainbow books were useful to a new practioner in the field. My concern is O/S (Orange Book) and application security seems to be almost completely dead in the computer security field. Network security, IDS, firewalls, etc is where most of the action is. But host security is still were the buck starts and stops.
|