Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Penetration testing via shrinkware

From: Adam Shostack <adam () homeport org>
Date: Sun, 20 Sep 1998 03:11:02 -0400
I find the fuzz work to be of great use in findng unknown bugs in
firewalls.  Requires a couple of machines, and a few weeks of idle
time for them.  Fuzz & Fuzz Revisted are the papers.  U Wisconsin.

Adam


On Fri, Sep 18, 1998 at 01:17:51PM +0000, John McDermott wrote:

| By the same token, how can firewall testing be accomplished?  Let us assume 
| bug B.  If there is no scanner for bug B because it is unknown until time 
| T, then how can a firewall be certified at time <T that it protects itself 
| and an internal network from bug B?  That is, testing goes hand-in-hand 
| with firewall certification, as I see it.
| 
| If a firewall is certified to be correct wrt all known bugs on 1Sep98, how 
| can it be guaranteed to be correct wrt some bug developed 10 September?  It 
| seems to me that certification of firewalls and scanners needs to be 
| explicitly "as of date xx/xx/xxxx" and that all bets are off after that.
| 
| --john
| 
| >
| >Crispin
| >-----
| 
| 
| -------------------------------------
| Name: John McDermott
| VOICE: 505/377-6293 FAX 505/377-6313
| E-mail: John McDermott <jjm () jkintl com>
| Writer and Computer Consultant
| -------------------------------------

-- 
"It is seldom that liberty of any kind is lost all at once."
                                                       -Hume
Previous By Date Next
Previous By Thread Next

Current thread: