The firewall market is a pretty wild and wooly place. You've got hardware and software products targeting big companies and small, being built into routers and gateways, and gunning for consumers' desktops. Just as confusing is the variety of technologies in play. Do you want a proxy firewall; a network address translation firewall; one that employs stateful packet inspection?
Until now, the International Computer Security Association Labs (ICSA) firewall certification program has used a one-size-fits-all set of criteria to test the security of firewall devices. As a result, some lower-end products have gone uncertified, leaving small-office workers and consumers to scratch their heads over technical jargon, weigh marketing hype and worry whether their networks are suitably protected.
The good news is ICSA Labs is about to unveil Version 4.0 of the certification program, which addresses the changing market. A two-step process, 4.0 certification requires a product to pass a baseline set of criteria, and be tested against its target audience and the characteristics of the networks involved. Vendors must be tested in the residential/consumer, small office/branch office/teleworker, or traditional corporate categories.
In the residential/consumer environment, the idea is "to protect users who don't know what a firewall is but think it's a good idea to have one," says Al Potter, manager of ICSA's network security lab. To pass the test, the firewall device must be easy to configure, and safe by default. It needn't support inbound services or include remote management features.
In the second category, the firewall device sits in the home office or branch office and is managed remotely by an IT administrator in the corporate office. Such a device must be connected and administered from the public side of the firewall through an encrypted channel, and should allow for some inbound services to an e-mail and Web server. The third category is a traditional corporate firewall, the criteria of which remains relatively unchanged.
"We shaped these categories to reflect the way they're being used," Potter says. "We each asked ourselves: How do I configure my firewall? The answer is, I allow everything out but nothing back in. That's fine at home but not for the enterprise."
Other activity at ICSA Labs includes the development of a new host-based firewall program for certifying desktop firewalls. This too will include separate modules targeting the corporate market and consumer markets.
Potter says the Labs will turn its attention later down the road to developing a module for measuring firewall performance. "Four or five years ago, the focus was on security, then on features. Now that these are a given, performance will become the primary interest," adds firewall programs manager Brian Monkman.