Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Penetration testing via shrinkware

From: Crispin Cowan <crispin () cse ogi edu>
Date: Fri, 18 Sep 1998 09:26:03 -0700
John McDermott wrote:


Meaningful firewall verification (again IMHO) requires that each
proxy/stateful inspector be proven to allow only correct operation of the
protocol for which it is proxying.  If a firewall is proxying, say, HTTP,
the verification must show that there are no buffer overflows, for example,
in the proxy and that the proxy is not performing any illegal operation
which could impact the integrity of the firewall or the allegedly protected
computers.  This is probably "difficult".


I agree with your assesment of what it means to really verify a firewall, and
I certainly agree that it is difficult.  However, it is also clearly possible,
if one wishes to expend enough effort and money.

A scanner, on the other hand, is simply not possible to verify.  No matter
what vulnerabilities the scanner checks for, there will always be the
potential for a new mis-configuration, bug, or other vulnerability in some
product that the scanner should check for, but does not.  The set of things
that a scanner should check for is infinite, so the scanner can never be
complete.

Crispin
-----
 Crispin Cowan, Research Assistant Professor of Computer Science, OGI
    NEW:  Protect Your Linux Host with StackGuard'd Programs  :FREE
       http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/

                 Support Justice:  Boycott Windows 98
Previous By Date Next
Previous By Thread Next

Current thread: