Making sense of the features security vendors load in their product data sheets is like trying to mold Jell-O by hand--try to grasp one section and the rest squishes out of reach. Despite your best attempts, you aren't sure exactly what the amorphous security product does or how well it performs. And you probably don't have the time or resources to test it thoroughly before buying it.
Here's an idea: Instead of relying on a brief product demo or trial, check out the product's security certifications. Security certification is the equivalent of in-depth testing without the heavy lifting. A third-party lab or organization tests the product against certain criteria and grades it accordingly. If you're fluent in security-certification criteria, you can glean valuable information about a security device or software.
Not all product certifications are equal, however. Their usefulness depends on the purpose of the certification. You need to understand whether the testing was for functional or implementation purposes, the context of the test and the scope of the results. Most product certifications focus on functional testing--not a feature-by-feature comparison scoring one product over another. The functional tests determine whether a product meets the certification criteria.
The main certifications for security products are the Common Criteria, Federal Information Processing Standard 140-2 (FIPS-140-2) Security Requirements
for Cryptographic Modules, and ICSA Labs. Security consultancy Neohapsis--and a Network Computing lab partner--sponsors the Open Security Evaluation Criteria (OSEC), which takes a community-peer-review approach to certification with input from vendors and users.
These certifications complement one another, but if you're a government agency or contractor, you should use the CC and FIPS-140-2 certifications.
Know Your Needs
To get the most out of certifications, you must know your organization's security requirements. These should be stated in a security policy or request for proposal. With such a document in hand, you can easily compare the certification's functionality tests against your needs. It also helps to understand the certification terminology. Common Criteria provides language for building a protection profile (PP), which states your requirements.
To determine whether a certification will help in your product analysis, look at how the certification defines a particular security function, like whether a stateful packet-filtering firewall is tracking the state of a TCP session properly. Knowing that, for instance, TCP state is defined and tested in the certification lab as just TCP session setup and tear-down and doesn't include TCP sequence numbering and error-control mechanisms can help you decide if that particular certification is appropriate for your requirements.
Certification tests typically are restricted to a subset of a product's features. Although most firewalls support IPsec (IP security), just because a firewall passes ICSA Labs Firewall Certification doesn't mean it passes the IPsec VPN Certification. And these functional certifications merely confirm that a security feature works--they don't shed any light on the importance of the feature.
REPORTS
Analyize In-Line NAC strategies and products.
ANALYTICS Plan and design your enterprise blade server deployments
InformationWeek U.S. IT Salary Survey 2008
Salaries for business technology professionals are falling. Here's what you need to know in order to make good hiring decisions and personal career choices. Download Today
REPORTS
ANALYTICS
Follow 
