Firewall Wizards mailing list archives
Re: Third Party Audit of a Firewall
From: Chad Schieken <cschieke () advsys com>
Date: Sat, 31 Jan 1998 17:19:14 -0500
"Michelle" == Michelle <michelle () inf net au> writes:Michelle> I am interested in what sort of tests should be run Of course, the appropriate documentation for the firewall should already be drafted. This should include all of the things you need to know about the systems, including OS, versions, patches, any applications, services, etc. You'll need to know what services you're exposing to the inside world, and to the outside world, and to what degree each is being exposed. I'm not sure I'd show this documentation to the auditors.
I disagree with that stance. It seems to only test the skill of auditor, not the strength of the firewall. When not take crystal box approach? Tell them everything, show them the documentation, let them know what your concerns are. If I told an auditor that I work for $big_company and that we have a firewall, now go audit it, and she came back and said "Yup, alls clear". I'd be scared. But if I gave them every bit of infomation that I had, then asked to verify that that my picture of my firewall reflected reality, then I'd feel alot more comfortable about thier findings, in either direction.
Current thread:
- Third Party Audit of a Firewall Michelle (Jan 22)
- Re: Third Party Audit of a Firewall C Matthew Curtin (Jan 31)
- Re: Third Party Audit of a Firewall Chad Schieken (Jan 31)
- Re: Third Party Audit of a Firewall Marcus J. Ranum (Jan 31)
- Re: Third Party Audit of a Firewall Chad Schieken (Jan 31)
- Re: Third Party Audit of a Firewall C Matthew Curtin (Jan 31)