New Certification Standards for Firewalls

ICSA Labs, a division of TruSecure, offers firewall certification by testing firewalls against a defined set of criteria. Firewall products that meet the criteria can claim ISCA Labs Certification. In the past, ICSA Labs has used one set of criteria to certify all firewall products, whether those firewalls were designed for large corporations, small businesses, or residential users.

ICSA Labs has now developed "Modular Firewall Certification Criteria 4.0." The criteria include a base set of requirements—plus three other sets of requirements that differ based on the firewall's target market. According to ICSA Labs, "Version 4.0 is the culmination of over a year and half of work with industry experts, end users and the Firewall Product Developers Consortium - an international forum of competing developers of firewall products that works toward common goals to benefit both members and end users. Version 4.0 reflects the different functional requirements in today's multi-segmented firewall market."

The base criteria module—applicable to all firewalls—requires that firewalls adhere to specific logging requirements, provide certain administrative capabilities, and maintain security policy persistence. The firewalls must also pass functional tests to prove that their policies and administration features work as intended, that they prevent unauthorized access to administrative functions, that they aren't vulnerable to evolving sets of attacks, and that they don't introduce vulnerabilities through their integration into a network. The firewalls must also pass tests that demonstrate their resistance to trivial Denial of Service (DoS) attacks and their ability, if they fail, to fail in a way that stops all network traffic to protect the networks they guard. And, of course, the firewalls must also have thorough, accurate documentation in such areas as installation, administration, and maintenance.

The other three criteria sets (corporate, business, and residential) have a few overlapping requirements, such as the default policy's allowed inbound and outbound protocols and remote administration capabilities. However, beyond those overlapping elements, the requirements differ significantly according to target market. As you might expect, the corporate firewall requirements are more stringent than those for business firewalls, and those for business firewalls more stringent that those for residential firewalls. The differences among the three modules lie mostly in the areas of logging, administration, and time/date persistence. Overall, the requirements for any type of firewall are stricter than the previous requirements ICSA Labs used. You can read about the exact criteria for each firewall type.

So far, the following companies and products have achieved ICSA Labs' 4.0 certification for corporate firewalls: Nortel Networks' Alteon Switched Firewall, Novell's BorderManager, Check Point Software Technologies' Check Point FireWall-1 Next Generation Linux FP-3, Cisco Systems' PIX Firewall Family, CyberGuard Premium Firewall Appliance, Global Technology Associates' (GTA's) GTA Firewall Family, Intoto's iGateway, Fortinet's FortiGate-300, and NetScreen Technologies' NetScreen Family. Other companies are in the process of certifying their corporate firewalls under the new criteria.

To date, ICSA Labs hasn't certified any level 4.0 business products and has certified only two level 4.0 residential products (both hardware-based)—Jungo's OpenRG and RIAS's GreatSpeed GS-1540G. You can find a list of all ICSA Labs certified firewalls.

In general, the new multilevel certification criteria make sense. Usually, a residential user's firewall doesn't need to meet the same overall requirements as a firewall that protects a large corporate network. For example, a residential firewall often doesn't need the same remote administration capabilities that a business or corporate firewall needs. ICSA Labs' new approach to certification should give developers more flexibility by providing a way to certify products that serve different target users.