Firewall certification

The degree of trust which can be placed in a firewall can be measured through independent evaluation using a suitable criteria. Such criteria provide a measure by which end-users can make informed decisions on the purchase of firewall products in conjunction with their security policy. This paper examines two groups of evaluation criteria and their suitability for firewall certification. The first group consists of criteria used by government certification programmes to meet the particular needs of government and related agencies. Members of this group include the: Information Technology Security Evaluation Criteria and the Common Criteria for Information Technology Security Evaluation. The second group consists of criteria created specifically for commercial certification programmes, and focuses on penetration testing to meet the needs of the private sector. Members of this group include the International Computer Security Association's Firewall Product Developers' Consortium Product Certification Criteria, and West Coast Labs Firewall Checkmark Criteria. The paper also shows the certification status of a number of firewall products currently on the market. Finally the paper reviews the success and applicability of these criteria in practice.