Firewall Wizards mailing list archives
Re: Third Party Audit of a Firewall
From: "Marcus J. Ranum" <mjr () nfr net>
Date: Sat, 31 Jan 1998 22:02:01 -0500
michelle () inf net au writes:
I'm not sure I'd show this documentation to the auditors.
Drive your car to a master mechanic. Tell them that you want a full diagnostic performed on the engine. Tell them that they're to do that, but they can't open the hood to get at it. They will look at you funny. Any decent security auditor will react similarly. There is a lot of attractiveness to the idea of simulating a hacker attack -- and it often works -- but you'll always get better input from the auditor if they know what they are looking at. Unless they're just going to run a scanner against your firewall and pronounce you healed. :-P cschieke () advsys com writes:
I disagree with that stance. It seems to only test the skill of auditor, not the strength of the firewall.
I agree 100%. It's similar to the vendor who used to have their firewall on the 'net as a "hacker challenge." They didn't benchmark their firewall -- they benchmarked all the guys who attacked it.
When not take crystal box approach? Tell them everything, show them the documentation, let them know what your concerns are.
Back when I used to do firewall audit kind of things I used to ask all kinds of annoying questions that had nothing to do with the firewall per se and everything to do with security. Things like: How is your firewall managed? What do you do to make sure the version of software it runs is up to date? How do you track alterations to its policy? How do you approve alterations to its policy? *THEN* you can start thinking about the firewall itself. In some cases you can announce that it's highly likely the firewall will be insecure without even knowing or caring what brand it is and how it's configured.
If I told an auditor that I work for $big_company and that we have a firewall, now go audit it, and she came back and said "Yup, alls clear". I'd be scared.
I wouldn't pay them. :) Imagine: You drive your car in to the mechanic and tell them to do a check of the engine. But they can't look under the hood. The mechanic looks at you funny and says, "it must work, right? it got you here." You drive away feeling safe that your car is in tip top shape. mjr. -- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. work - http://www.nfr.net home - http://www.clark.net/pub/mjr
Current thread:
- Third Party Audit of a Firewall Michelle (Jan 22)
- Re: Third Party Audit of a Firewall C Matthew Curtin (Jan 31)
- Re: Third Party Audit of a Firewall Chad Schieken (Jan 31)
- Re: Third Party Audit of a Firewall Marcus J. Ranum (Jan 31)
- Re: Third Party Audit of a Firewall Chad Schieken (Jan 31)
- Re: Third Party Audit of a Firewall C Matthew Curtin (Jan 31)