Re: Third Party Audit of a Firewall

[Chad Schieken <cschieke () advsys com>]

> > > > > > "Michelle" == Michelle  <michelle () inf net au> writes:
>
> Michelle> I am interested in what sort of tests should be run
>
> Of course, the appropriate documentation for the firewall should
> already be drafted.  This should include all of the things you need to 
> know about the systems, including OS, versions, patches, any
> applications, services, etc.  You'll need to know what services you're 
> exposing to the inside world, and to the outside world, and to what
> degree each is being exposed.
>
> I'm not sure I'd show this documentation to the auditors.

I disagree with that stance. It seems to only test the skill of auditor, not 
the strength of the firewall.

When not take crystal box approach? Tell them everything, show them the 
documentation, let them know what your concerns are.

If I told an auditor that I work for $big_company and that we have a firewall, 
now go audit it, and she came back and said "Yup, alls clear". I'd be scared.

But if I gave them every bit of infomation that I had, then asked to verify 
that that my picture of my firewall reflected reality, then I'd feel alot more 
comfortable about thier findings, in either direction.