Firewall Wizards mailing list archives
Re: Penetration testing via shrinkware
From: Crispin Cowan <crispin () cse ogi edu>
Date: Fri, 18 Sep 1998 09:26:03 -0700
John McDermott wrote:
Meaningful firewall verification (again IMHO) requires that each proxy/stateful inspector be proven to allow only correct operation of the protocol for which it is proxying. If a firewall is proxying, say, HTTP, the verification must show that there are no buffer overflows, for example, in the proxy and that the proxy is not performing any illegal operation which could impact the integrity of the firewall or the allegedly protected computers. This is probably "difficult".
I agree with your assesment of what it means to really verify a firewall, and I certainly agree that it is difficult. However, it is also clearly possible, if one wishes to expend enough effort and money. A scanner, on the other hand, is simply not possible to verify. No matter what vulnerabilities the scanner checks for, there will always be the potential for a new mis-configuration, bug, or other vulnerability in some product that the scanner should check for, but does not. The set of things that a scanner should check for is infinite, so the scanner can never be complete. Crispin ----- Crispin Cowan, Research Assistant Professor of Computer Science, OGI NEW: Protect Your Linux Host with StackGuard'd Programs :FREE http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/ Support Justice: Boycott Windows 98
Current thread:
- Re: Penetration testing via shrinkware, (continued)
- Re: Penetration testing via shrinkware Ivan Arce,CORE SDI (Sep 23)
- Re: Penetration testing via shrinkware tqbf (Sep 21)
- RE: Penetration testing via shrinkware McEwen, Don (Sep 03)
- Re: Penetration testing via shrinkware Vanja Hrustic (Sep 03)
- Re: Penetration testing via shrinkware Bill_Royds (Sep 03)
- RE: Penetration testing via shrinkware Stout, Bill (Sep 06)
- RE: Penetration testing via shrinkware Gary Crumrine (Sep 06)
- Re: penetration testing via shrinkware Arve Kjoelen (Sep 08)
- Re: Penetration testing via shrinkware Ryan Russell (Sep 19)
- Re: Penetration testing via shrinkware John McDermott (Sep 19)
- Re: Penetration testing via shrinkware Crispin Cowan (Sep 19)
- Re: Penetration testing via shrinkware Paul D. Robertson (Sep 20)
- Re: Penetration testing via shrinkware John McDermott (Sep 19)
- Re: Penetration testing via shrinkware Paul D. Robertson (Sep 20)
- Re: Penetration testing via shrinkware Marcus J. Ranum (Sep 21)
- Re: Penetration testing via shrinkware Paul D. Robertson (Sep 21)
- Re: Penetration testing via shrinkware Ted Doty (Sep 21)
- Re: Penetration testing via shrinkware Paul D. Robertson (Sep 21)
- Re: Penetration testing via shrinkware Darren Reed (Sep 22)
- Re: Penetration testing via shrinkware Ted Doty (Sep 22)
- Re: Penetration testing via shrinkware Paul D. Robertson (Sep 20)
- Re: Penetration testing via shrinkware Joseph S. D. Yao (Sep 22)