RE: Proxy 2.0 secure?

[ICMan <shane () tor securecomputing com>]

Just so you know, early this year I was at a Firewall "Pen Testathon" at 
NSTL that was performed for DataCommunications Mag, and they only used ISS 
5.0 for the test.  They did not appear to have any other tools.  [I would 
like to point out that many tools give false positives, and you must be 
wary.  For example, ISS checks for servers on the Firewall.  If they are 
there, they give a warning.  Also, if there is a ALG proxy on the port, 
doing proxy redirection, ISS reported a server on the Firewall, even though 
there was no server at the end of the redirected proxy.  ISS never checked 
for the presense of a server by sending commands.  It got a connection on a 
known port (in this case 119, indicating NNTP) and stated boldly that there 
was a news server there.  Personally, I think that such tools are only good 
to give an indication where you should start hacking by hand.]

Also, you should note that, when doing performance testing, NSTL did not 
require any security measures to be enabled.  The SPF firewalls did great. 
 The vendors tuned them into little better than software routers for that 
phase of the testing.  ALGs had reduced performance because ALG proxying, 
and therefore highly secure access, cannot be disabled.  I thought that it 
would be more appropriate for the Firewalls to be in the same highly secure 
mode used for the Pen Test.  That would give more realistic "Firewall" 
performance figures.

Don't believe everything you read.

ICMan

-----Original Message-----
From:   David Newman [SMTP:dnewman () cmp com]
Sent:   Thursday, 02 July, 1998 11:44 PM
To:     tqbf () pobox com
Cc:     firewall-wizards () nfr net
Subject:        Re: Proxy 2.0 secure?


Glass houses, Mr. Ptacek. You're ascribing conclusions to the article that
just aren't there. The text cautioned *against* concluding that devices
were secure simply because they didn't barf when we hit them with a finite
number of attacks.  I have no desire to get into a pissing match with you
about this, but you're making up conclusions we were careful to avoid, and
we even cautioned our audience against reading too much into our findings.
You need to be more careful with *your* wording.

I noted earlier in this thread that this isn't an issue of ISS's tools or
yours (or ours, for that matter; NSTL, which conducts most of Data Comm's
security testing, has its own attack tools as well). As I said earlier, it
doesn't really matter whose tool we use to generate ping of death, land,
teardrop2, boink, and the like; the target machines fail the same way.

dn







tqbf () pobox com on 07/02/98 09:17:24 PM

Please respond to tqbf () pobox com

To:   David Newman/NYC/CMPNotes
cc:   tqbf () pobox com, firewall-wizards () nfr net
Subject:  Re: Proxy 2.0 secure?




> I'm sorry you're attacking me, for we are actually in violent agreement

It is not my intention to attack you; I simply have problems with the
manner in which conclusions appear to have been reached in an article you
wrote.

> you that running a finite, known set of attacks against a properly
> configured device does *not* mean a device is secure.

You should be more careful with your wording. Running a finite number of
exploits or attack signature generators against a device does not mean
that a device is secure, in general or from the underlying vulnerabilities
exploited/assessed by your attack tools.

> Also, a clarification: ISS Safesuite has multiple modules, including one
> that is intended for use against *firewalls,* not end-systems. It was
this

NetSonar and CyberCop Scanner also have firewall testing modules (CCS
focusses on firewalls and routers) --- but I wouldn't rely on metrics from
either product to make conclusions about the security of a firewall
product. Apparently you agree, and I'm misunderstanding you, but I would
like to clarify the fact that this isn't an ISS vs. NAI issue (I think ISS
would agree with my logic here).

---------------------------------------------------------------------------
--
Thomas H. Ptacek                       SNI Labs, Network Associates, Inc.
---------------------------------------------------------------------------
--
http://www.pobox.com/~tqbf     "If you're so special, why aren't you dead?"