Re: Penetration testing via shrinkware

["Paul D. Robertson" <proberts () clark net>]

On Fri, 18 Sep 1998, John McDermott wrote:

> I beg to differ with your differing :-).  The issue in firewall 
> verification is not pass/block verification.  IMHO that is stateless filter 
> verification (e.g. as for a router).
>
> Meaningful firewall verification (again IMHO) requires that each 
> proxy/stateful inspector be proven to allow only correct operation of the 
> protocol for which it is proxying.  If a firewall is proxying, say, HTTP, 
> the verification must show that there are no buffer overflows, for example, 
> in the proxy and that the proxy is not performing any illegal operation 
> which could impact the integrity of the firewall or the allegedly protected 
> computers.  This is probably "difficult".

HTTP is an open-ended protocol specification with some _limitless_ size 
specifications, I submit that it is beyond "difficult" to verify correct 
functionality of a layer 5 transport protocol.  Testing just buffer 
overflows on limitless length objects would seem to be less than an ideal 
situation.  Proxies are much easier to verify than stateful filters under 
the same circumstances, but once again, the source code is probably going 
to give you a much higher level of assurance that oversized objects are 
correctly handled unless you don't go look at the souce to the library 
routines as well, in which case you can either do that, or accept a lower 
level of assurance by banging against the calls with a substantial set of 
test data.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () clark net      which may have no basis whatsoever in fact."
                                                                     PSB#9280