Common Criteria is NOT an absolute (nor good) indication of the "security" of a product. The developer gets to write the Security target and define the Target of Evaluation. The product then gets evaluated, in the case of ISA by the Germans. So while those damn Ruskies may have the Cisco source, those damn Germans (yes, their lab evaluated ISA) get to put the little certification stamp on the product that lets you sleep at night Common Criteria.....Below are a coupla of quick notes on CC Validation for ISA ISA 2004 (EAL 4+) --Thought it was in evaluation. If you can find the Security Target or Certification Report, please post. --Can't wait to see the caveats like the ones below for ISA2000 ISA 2000 (EAL 2) --Must be installed on Windows 2000 Server --No Active Directory Integration allowed (WoW!!) --Local Administration only (who cares about the neat little Admin console you can run from your desktop instead of walking up to the server room floor) --ISA must be installed on a HP/Compaq Proliant ML330 G2 hardware. (May be able to pick one up on Ebay) --Must run in Firewall Mode only (What a shame, the cache feature was pretty cool) --You can not change the evaluated configuration. (So, please do not install Win2k Server Serice Pack 4) So, does Common Criteria really matter?