Firewall Wizards mailing list archives
Re: Penetration testing via shrinkware
From: "Paul D. Robertson" <proberts () clark net>
Date: Sat, 19 Sep 1998 23:26:59 -0400 (EDT)
On Fri, 18 Sep 1998, John McDermott wrote:
I beg to differ with your differing :-). The issue in firewall verification is not pass/block verification. IMHO that is stateless filter verification (e.g. as for a router). Meaningful firewall verification (again IMHO) requires that each proxy/stateful inspector be proven to allow only correct operation of the protocol for which it is proxying. If a firewall is proxying, say, HTTP, the verification must show that there are no buffer overflows, for example, in the proxy and that the proxy is not performing any illegal operation which could impact the integrity of the firewall or the allegedly protected computers. This is probably "difficult".
HTTP is an open-ended protocol specification with some _limitless_ size specifications, I submit that it is beyond "difficult" to verify correct functionality of a layer 5 transport protocol. Testing just buffer overflows on limitless length objects would seem to be less than an ideal situation. Proxies are much easier to verify than stateful filters under the same circumstances, but once again, the source code is probably going to give you a much higher level of assurance that oversized objects are correctly handled unless you don't go look at the souce to the library routines as well, in which case you can either do that, or accept a lower level of assurance by banging against the calls with a substantial set of test data. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () clark net which may have no basis whatsoever in fact." PSB#9280
Current thread:
- Re: Penetration testing via shrinkware, (continued)
- Re: Penetration testing via shrinkware tqbf (Sep 21)
- RE: Penetration testing via shrinkware McEwen, Don (Sep 03)
- Re: Penetration testing via shrinkware Vanja Hrustic (Sep 03)
- Re: Penetration testing via shrinkware Bill_Royds (Sep 03)
- RE: Penetration testing via shrinkware Stout, Bill (Sep 06)
- RE: Penetration testing via shrinkware Gary Crumrine (Sep 06)
- Re: penetration testing via shrinkware Arve Kjoelen (Sep 08)
- Re: Penetration testing via shrinkware Ryan Russell (Sep 19)
- Re: Penetration testing via shrinkware John McDermott (Sep 19)
- Re: Penetration testing via shrinkware Crispin Cowan (Sep 19)
- Re: Penetration testing via shrinkware Paul D. Robertson (Sep 20)
- Re: Penetration testing via shrinkware John McDermott (Sep 19)
- Re: Penetration testing via shrinkware Paul D. Robertson (Sep 20)
- Re: Penetration testing via shrinkware Marcus J. Ranum (Sep 21)
- Re: Penetration testing via shrinkware Paul D. Robertson (Sep 21)
- Re: Penetration testing via shrinkware Ted Doty (Sep 21)
- Re: Penetration testing via shrinkware Paul D. Robertson (Sep 21)
- Re: Penetration testing via shrinkware Darren Reed (Sep 22)
- Re: Penetration testing via shrinkware Ted Doty (Sep 22)
- Re: Penetration testing via shrinkware Paul D. Robertson (Sep 20)
- Re: Penetration testing via shrinkware Joseph S. D. Yao (Sep 22)
- Re: Penetration testing via shrinkware Stephen P. Berry (Sep 24)