Firewall Product Certification Criteria Evolution

ICSA Labs tests firewall products against a standard yet evolving set of criteria. Our Firewall Product Certification Criteria is composed of both functional and assurance requirements. Altogether, these criteria requirements define an industry-accepted standard that all products claiming to have firewalling capabilities must attain.

Criteria Evolution

Today, ICSA Labs is testing candidate firewall products against Modular Firewall Product Certification Criteria version 4.2. For those of you interested in the criteria's progress over time, check out our links to the now obsolete version 2.1, version 3.0, version 3.0a, version 4.0, version 4.1 and the Logging Adddendum to 4.1 which was versioned as 4.1a.

Our criteria has matured over the years as the firewall industry has evolved. The latest iteration of the criteria always begins with the previous version as its baseline. From this base set of requirements, new ones are added to it reflecting advances in firewall industry technology.

Additionally, version 4.2 has been structured to reflect the security and functional requirements of various market segments as defined by ICSA Labs in conjunction with the Firewall Product Developers' Consortium.

It makes sense, therefore, that candidate firewall products submitted to ICSA Labs are always tested against the latest version of our Modular Firewall Product Certification Criteria. Further, firewall products that have successfully passed the current criteria also implicitly meet all earlier versions of the criteria.

Industry Input

New versions of the criteria are created by ICSA Labs in conjunction with the input of leading firewall vendors that are members of the ICSA Labs Firewall Product Developer's Consortium (FWPD). After all, what better resources are there to use when constructing standard firewall criteria than actual firewall vendor personnel?

Vetting is the final step before a new criteria version becomes an official standard. The new criteria requirements are vetted by the FWPD, renowned firewall industry experts and end users.

Continuous Testing

Once a product is granted ICSA Labs Firewall Certification it is moved to ICSA Labs' Continuous Deployment testbed. This infrastructre permits periodic re-testing of certified products whenever circumstances warrant. Each vendor is required to ensure that ICSA Labs is sent updates to certified products whenever an update is released.

Re-Certification Testing occurs on an approximately annual basis. The certification of a vendor's product survives changes of said product (i.e. if a vendor's product moves from, for example,the certification tested version 5.0 to 5.5 then the 5.5 version of the product continues to be certified). This holds true unitl such time a periodic re-test or annual re-certification test finds the product is be in violation of one of the elements of the current certiifcation criteria. If such a violation is found the vendor will be required to provide a fix that addresses the violation in the timeframe outlined in the Decertification Escalation Process Guidelines.