Firewall Wizards mailing list archives
Re: Proxy 2.0 secure?
From: "David Newman" <dnewman () cmp com>
Date: Tue, 30 Jun 1998 23:41:43 -0400
Thomas, I'm sorry you're attacking me, for we are actually in violent agreement here. Let me remind you that I came in on this thread by *agreeing* with you that running a finite, known set of attacks against a properly configured device does *not* mean a device is secure. Also, a clarification: ISS Safesuite has multiple modules, including one that is intended for use against *firewalls,* not end-systems. It was this firewall-specific module we used in our testing. I have no interest in ISS Safesuite, nor have I ever represented it as encompassing the universe of attacks a firewall would face. dn tqbf () pobox com on 06/30/98 05:04:20 AM Please respond to tqbf () pobox com To: David Newman/NYC/CMPNotes cc: tqbf () pobox com, firewall-wizards () nfr net Subject: Re: Proxy 2.0 secure?
The article made clear that we did not in any way certify products as "secure," whatever that means. Our tests evaluated only whether properly
You stated that your methodology would not account for misconfiguration or new attacks. I am stating that your methodology does not account for old attacks, either, but rather only the specific incarnations of a specific set of largely irrelevant (to a firewall) attacks generated by a network testing tool designed to test end-systems and not firewalls. Your disclaimer is thus seriously misleading.
both very real problems, but beyond the scope of our test. I agree that scanners and IDS products are a good way of evaluating device
configuration
(and I'm pleased to see you think IDS products are good for something ;-)
I do not think I-D is a good way of verifying device configuration; I think that the use of I-D for config verification is seriously flawed. Moreover, you did not use I-D tools in your test (or if you did, you didn't document that in your article). Additionally, I do not think IDS products based on passive network analysis ("sniffing") are worth anything at all. I have no opinion about any other form of I-D (and there are many others, some of which are incarnated in very popular commercial packages); please do not misunderstand this. --------------------------------------------------------------------------- -- Thomas H. Ptacek SNI Labs, Network Associates, Inc. --------------------------------------------------------------------------- -- http://www.pobox.com/~tqbf "If you're so special, why aren't you dead?"
Current thread:
- Re: Proxy 2.0 secure? Brian Steele (Jul 01)
- <Possible follow-ups>
- Re: Proxy 2.0 secure? David Newman (Jul 01)
- Re: Proxy 2.0 secure? tqbf (Jul 03)
- Re: Proxy 2.0 secure? John McDermott (Jul 01)
- Re: Proxy 2.0 secure? Brian Steele (Jul 02)
- Re: Proxy 2.0 secure? David Newman (Jul 03)
- RE: Proxy 2.0 secure? ICMan (Jul 07)
- RE: Proxy 2.0 secure? David Newman (Jul 07)