The Modular Firewall Certification Criteria Version 4.1

ICSA Labs tests firewall products against a standard yet evolving set of criteria. Our Firewall Certification Criteria is composed of both functional and assurance requirements. Our criteria requirements define an industry-accepted standard that all products claiming to have firewalling capabilities must attain.

Historically the ICSA Labs Firewall Product Certification Criteria has taken a "one size fits all" approach. The intent being that every product would have to meet the same requirements in order to be certified. However, the firewall market has evolved significantly since ICSA Labs introduced version 1.0 of the Firewall Product Certification Criteria in 1996. Version 4.1 of the ICSA Labs Modular Firewall Certification Criteria accommodates the evolution of the firewall market.

Version 4.0, the previous version of the criteria, was the culmination of over a year and half of work with industry experts, end users and the Firewall Product Developers Consortium - an international forum of competing developers of firewall products that work toward common goals to benefit both members and end users.

Version 4.1 reflects the different functional requirements in today's multi-segmented firewall market.

Points worth noting with respect to this version 4.1:

Nothing has changed with respect to this version from 4.0 that would require a vendor to make changes to their product in order to pass testing.
The interpretation notes used in conjunction with version 4.0 of the criteria have been incorporated into version 4.1. The interpretation notes will left on the website for historical reference.
All products that do not possess an onboard, battery backed up clock must be able to acquire time from an external source. For the Residential category no change has been made. For SMB this mechanism must be either SNTP or NTP, as outlined in the criteria. For Corporate the mechanism must be NTP, as outlined in the criteria. Please note that, for now, this is a conditional requirement applicable only to those products that do not have a clock as noted above. To date any product that has not had a onboard clock would have failed to satisfy the version 4.0 persistence requirements.

The 4.1 documents that can be downloaded from below (PDF format) are:

Baseline Module (required for every certified product)
4.1a Logging Criteria (replaces 4.1 Baseline Logging criteria) (required for every certified product)
Residential, Small/Medium Business (SMB), Corporate (vendor selects one of these for their product to be tested against)
Glossary (definitions of terms used in 4.1 criteria documents)

Additionally, ICSA Labs is releasing Optional Modules that vendors with certified products may elect to be tested against. The first optional module addresses the Network Firewall VoIP requirements. The second module addresses the Network Firewall High Availability requirements.

If you have an questions or comments regarding the Version 4.1 of ICSA Labs' Modular Firewall Certification Criteria please contact Brian Monkman at bmonkman@icsalabs.com.

Attachment	Size
4.1a Logging Criteria (PDF)	52.22 KB
Baseline Module (PDF)	68.89 KB
Glossary (PDF)	47.23 KB
Network Firewall High Availability requirements (PDF)	75.03 KB
Network Firewall VoIP requirements (PDF)	44.33 KB
Small/Medium Business Module (PDF)	63.1 KB
Residential Module (PDF)	37.41 KB
Corporate Module (PDF)	56.94 KB

Network Firewalls

The Modular Firewall Certification Criteria Version 4.1

ICSA Labs Certified Products

Certified Product Vendors

recent blog posts

what's new

ICSA Labs Offers Tips to Help Enterprises Save Time and Resources When Selecting Security Products in 2010

ICSA Labs Is First Security-Product Testing Organization to Earn Key Accreditation

SonicWALL Network Security Appliance (NSA) Series granted Network Firewall certification