Firewall Wizards mailing list archives
Re: Penetration tests
From: bill () WLK COM (Bill Kennedy)
Date: Fri, 26 Sep 1997 09:00:06 -0500 (CDT)
Firewall-Wizards Digest wrote:
From: Edward Cracknell <edward () securIT net> I'd really like some input regarding penetration tests. Internal and External. If you have tools, documentation or a template for considerations I'd be grateful. This will be part of an overall risk/vulnerability audit, which I have no problems with.
On www.frus.com there is, in addition to the commercial service offering, some information that you might find useful. The statement of work and description of the service would be a good place to start specifications for what you plan to do and the results you expect to get. I'll not feign objectivity but I will share an opinion regarding using a commercial service and self help. We believe that a commercial service is useful for confirming due diligence and to get a third party assessment of vulnerability. We also believe that it can only augment, not replace, self help. If it's applicable at all, a commercial service should be only one component of a program to evaluate your defenses. I agree with Marcus that few folks offering products or services for profit will eagerly share their intellectual property. I also agree with Darren that CERT advisories, BugTraq, etc. are valuable resources for constructing a tool set. That's pretty much how we built ours and it's a very mixed bag of things built on a SATAN base. I'll slightly disagree with Marcus, speaking only for my company, that we're increasingly secretive about the toolset. We don't use anything, other than a few modifications, that isn't generally available or fairly well known to the "dark side". I think we'd be embarrassed to disclose some of the ghastly hacks and disorganized collection of things, but we'd not be secretive about it. Here's why and it's stimulated by Darren's observation. One size fits none. Penetration testing, we call it "certification" must be intimately related to the security policy you seek to enforce. You should vigorously stress the services the policy regulates but, more important, you should also confirm that the services the policy permits do not jeopardize the intent of what it forbids. Example: if you're permissive for email you have to be certain your mail server and software are robust enough to deflect exploits to defeat other defenses. That's pretty fundamental but astoundingly often overlooked. Further, simple scanning should be only one component of a complete program for ongoing testing and audit. Scan results are a snapshot that can and will change after any adjustments are made to network hardware or software. That's another reason a commercial service isn't as useful as the vendors might claim. There is an exception to that and it's in the interpret- ation of the results. Network scans are kind of like memory tests. They reveal the most egregious flaws but they often don't discover the heart of a problem. How you interpret the results determines how you proceed with the assessment. The scan will often give you the clues you need to drill deeper and that's where one size fits none, home made is better than store bought. I don't think anyone can offer a software suite that is complete enough to evaluate how well _your_ defenses conform to and enforce _your_ security policy. A commercial vendor might be able to do a better job of interpreting a single scan because they do it every day but they can't do as good a job as you can evaluating the threats in the context of your security policy. Why? The direction of the greatest risk resides inside your defense perimeter. The most likely source of data corruption and compromise has more to do with practice and procedure than it does with networks or protocols. That doesn't mean you can afford to be sloppy at the perimeter, it means that the perimeter is relatively easy to monitor and control; the bulk of your defensive effort should be auditing the other controls you have established. Penetration testing is a small, but important, fraction of what's needed to be confident of your information defenses. Their greatest value is revealing clues and anomalies that point you to the less obvious vulnerabilities. The bad guys are picking fly specks out of the pepper, you have to do it too. Finally (mercifully) to get the best results from penetration testing you need a confederate or coconspirator. It's damned hard to thoroughly wring it all out unless you can attempt entry. Recruit a trusted neighbor or vendor to do it for you. If it's a neighbor, reciprocate by doing it for them. Certainly you should employ all the technique from within, but the best estimate of your public face is made from the public side. -- Bill Kennedy bill () WLK COM | "Man who it is very bad luck to get in a fight | with because he has devils on his side" | Comanche name for "Captain Jack", Texas Ranger
Current thread:
- Re: Penetration Tests, (continued)
- Re: Penetration Tests Paul D. Robertson (Sep 26)
- Re: Penetration Tests Bennett Todd (Sep 26)
- Policy ? (was RE: Penetration Tests) Capt Jim Bailey - SSG/SINS - DSN 596-6106 (Sep 26)
- Re: Policy ? (was RE: Penetration Tests) Edward Cracknell (Sep 29)
- Re: Policy ? (was RE: Penetration Tests) Bennett Todd (Sep 29)
- Re: Policy ? (was RE: Penetration Tests) Paul D. Robertson (Sep 30)
- Policy ? (was RE: Penetration Tests) Capt Jim Bailey - SSG/SINS - DSN 596-6106 (Sep 26)
- Re: Penetration Tests Darren Reed (Sep 26)
- Re[2]: Penetration Tests Edward Cracknell (Sep 26)
- Re: Penetration Tests -= ArkanoiD =- (Sep 26)
- Re: Penetration Tests Chuck Kenyon (Sep 26)
- Re: Penetration tests Bill Kennedy (Sep 26)
- Re[2]: Penetration Tests Frank Willoughby (Sep 29)
- RE: Penetration Tests Gary Crumrine (Sep 29)
- RE: Penetration Tests Andreas Siegert (Sep 30)