Firewall Wizards mailing list archives
Re: Penetration testing via shrinkware
From: Adam Shostack <adam () homeport org>
Date: Sun, 20 Sep 1998 03:11:02 -0400
I find the fuzz work to be of great use in findng unknown bugs in firewalls. Requires a couple of machines, and a few weeks of idle time for them. Fuzz & Fuzz Revisted are the papers. U Wisconsin. Adam On Fri, Sep 18, 1998 at 01:17:51PM +0000, John McDermott wrote: | By the same token, how can firewall testing be accomplished? Let us assume | bug B. If there is no scanner for bug B because it is unknown until time | T, then how can a firewall be certified at time <T that it protects itself | and an internal network from bug B? That is, testing goes hand-in-hand | with firewall certification, as I see it. | | If a firewall is certified to be correct wrt all known bugs on 1Sep98, how | can it be guaranteed to be correct wrt some bug developed 10 September? It | seems to me that certification of firewalls and scanners needs to be | explicitly "as of date xx/xx/xxxx" and that all bets are off after that. | | --john | | > | >Crispin | >----- | | | ------------------------------------- | Name: John McDermott | VOICE: 505/377-6293 FAX 505/377-6313 | E-mail: John McDermott <jjm () jkintl com> | Writer and Computer Consultant | ------------------------------------- -- "It is seldom that liberty of any kind is lost all at once." -Hume
Current thread:
- Re: Penetration testing via shrinkware, (continued)
- Re: Penetration testing via shrinkware Paul D. Robertson (Sep 20)
- Re: Penetration testing via shrinkware Marcus J. Ranum (Sep 21)
- Re: Penetration testing via shrinkware Paul D. Robertson (Sep 21)
- Re: Penetration testing via shrinkware Ted Doty (Sep 21)
- Re: Penetration testing via shrinkware Paul D. Robertson (Sep 21)
- Re: Penetration testing via shrinkware Darren Reed (Sep 22)
- Re: Penetration testing via shrinkware Ted Doty (Sep 22)
- Re: Penetration testing via shrinkware Paul D. Robertson (Sep 20)
- Re: Penetration testing via shrinkware Joseph S. D. Yao (Sep 22)
- Re: Penetration testing via shrinkware Stephen P. Berry (Sep 24)
- Re: Penetration testing via shrinkware tqbf (Sep 21)
- Re: Penetration testing via shrinkware Marcus J. Ranum (Sep 20)
- Re: Penetration testing via shrinkware Joseph S. D. Yao (Sep 21)
- Re: Penetration testing via shrinkware Paul D. Robertson (Sep 20)
- Re: Penetration testing via shrinkware Marcus J. Ranum (Sep 20)
- Re: Penetration testing via shrinkware Christopher Nicholls (Sep 21)
- Re: Penetration testing via shrinkware Marcus J. Ranum (Sep 21)
- Re: Penetration testing via shrinkware Christopher Nicholls (Sep 23)