Security Basics mailing list archives
Re: Evaluating the security level of a firewall
From: "James Fields" <jvfields () tds net>
Date: Mon, 26 May 2003 13:27:18 -0400
It's not a matter of Nessus or any other tool being "good enough" - the point goes back to what you friend said about being too busy. I have a limited number of hours per weeks. I manage 8 firewalls, numerous IDS sensors and maintain about 50 VPNs for my company. I also am part of a team responsible for managing our routers, switches, etc. I do not have time to research, on a regular basis, everything going on in the industry. I've been told some companies hire security people who do nothing else - but I've yet to work at such a place, and can't say what it would be like... ----- Original Message ----- From: "yannick'san" <yannicksan () free fr> To: <security-basics () securityfocus com> Sent: Saturday, May 24, 2003 11:24 AM Subject: Evaluating the security level of a firewall
Hello folks, Well, a couple of days ago, I had a strong discussion with friends about
how
to regularly evaluate the security level of a firewall. First of all, everybody agreed that we can't install/configure a firewall and then sleep and consider that everything behind it is in a secure area
.
In any security approach we have to think about the "life cycle" of the firewall. thus, security managers has to plan for a recursive process for regularly looking for its state and the vulnerabilities which could have came out on it. In fact, our discussion became very strong when we started to talk about
the
methods we were using for. They told me that they were only evaluating the security level by regularly launching tools (like nessus) against their firewall. So, somewhere in a procedure it was clearly written a sentance like this one : "We considere (today) that the firewall and its configuration is secure according to the results given by nessus."... and that's all. It seems that I was the only one to considere that we could not only evaluate a security level regarding to the results given by this tool but
we
also had to look for vulnerabilities in CERTS or CVE. In case of a 0-vulnerability result, the tools will let us think that the security
level
is good while in fact it is completly wrong. I considered that it was a wrong way of thinking and told them that my sentance will have been : "We considere (today) that the firewall and its configuration is secure according to the results given both by a search on CVE or CERTS databases and the actual configuration and last update. Nessus (or other tools) are used to improve our view but are not considered as sufficient." I've been told that looking for CVE or CERTS vulnerabilities takes too
long
time for a lonely security manager who both has to deal with a lot of equipments and other security stuffs. They said nessus give them a good security view and without any security organisation to help them, the task is too hard. I answered that if a security manager can't take the time to check for vulnerabilities in specific databases, he must write somewhere the reasons and the security consequences of his choice. Reason and security consequences of just using tools like nessus. Our discussion about this subject has covered subjects like process, procedures, methods, risk analysis (especialy identification of the threats), security
management,...,
but finaly I was told that most of companies do like them and my approach was not used. I would to know your point of view, your experiences, for exemple : do you only use nessus (or anything else) and considere the results as valuable
??
Any comments (flame or not) is welcome :) Thanks in advance. -Yannick --------------------------------------------------------------------------
-
Thinking About Security Training? You Can't Afford Not To! Vigilar's industry leading curriculum includes: Security +, Check Point, Hacking & Assessment, Cisco Security, Wireless Security & more! Register
Now!
--UP TO 30% off classes in select cities-- http://www.securityfocus.com/Vigilar-security-basics --------------------------------------------------------------------------
--
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Evaluating the security level of a firewall yannick'san (May 26)
- Re: Evaluating the security level of a firewall James Fields (May 27)
- Re: Evaluating the security level of a firewall Meritt James (May 28)
- Re: Evaluating the security level of a firewall James Taylor (May 27)
- RE: Evaluating the security level of a firewall Roger Bou-Aoun (May 29)
- Re: Evaluating the security level of a firewall James Fields (May 27)