Firewall Wizards mailing list archives
RE: VA vs PT tool
From: "Ben Nagy" <ben () iagu net>
Date: Fri, 13 Jun 2003 20:33:15 +0200
-----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of SimonChan () lifeisgreat com sg[...] Hi fw-wiz, i posted some time on the list a couple of months back for some recommendations on a good VA tool. The bulk of the responses pointed to ISS, NetRecon and Vigilante.
I don't work for any of them, but I am currently in the space, and this may be considered a disclaimer. :)
However, a VA tool is limited, in that it only stops at the vulnerability. I'm looking at a Pen Test tool that not only does the VA functionality but also exploit the vulnerability thus defining it as a real THREAT and not just a vulnerability. Is there a widely accepted tool on the market right now ?
I'll answer this question in two parts. a) Nessus is the closest you'll get to an "aggressive" VA tool. In some cases it will try to exploit vulnerabilities if you tell it to. CAVEAT - go read the recent thread on vuln-dev about what nessus does to production networks. (this is not to say I don't like nessus, I just wouldn't run it on a production network - navré Renaud. ;) b) I would submit that you don't really want to do that. Let me ramble. Back to basics time - any business RISK is made up of three things. A VULNERABILITY, which is a problem or a 'hole' or a bug or whatever. A THREAT, which is also called an attack vector - a way this vulnerability can be attacked. If you have a vulnerability but no threat then you don't have a problem. Finally, for there to be a risk there must be a NEGATIVE OUTCOME - if one of my servers gets hacked but there is no negative outcome (eg the server is a honeypot [1]) then there is no problem. So, with that in mind, I would say that your distinction above about the difference between a vulnerability and a threat isn't quite right. A more accurate tool is better, because it's good to know exactly what your vulnerabilities are in order to assess risk. However, the difference between an INTRUSIVE and a NON-INTRUSIVE tool is basically just one of accuracy; in theory, intrustive tools are more accurate. In practice, I would question that. And, in addition, in reality most people don't want to be running intrusive tools on their production networks. The gain in accuracy isn't worth the loss in productivity when things fall over. My take on the industry at the moment is that most of the leading tools are OK at finding vulnerabilities [2], although I happen to genuinely believe that ours is the best and most flexible (honest!)[3]. None of the tools are very good at telling you what your threats are, because this is virtually impossible to do with a tool. And only a few of the tools have any sort of interface to try and correlate things with the negative outcome, or potential loss - and the ones that do are so rudimentary that they don't get me very excited. What does this say to me? That we still need a security person with a brain to parse the results of all the tools. However, I really think that organisations that are trying to seriously assess business risk without some form of VA are just Making Crap Up. ben [1] Like the ISS server that got hacked, which was....a honeypot! Sure. Nothing to see here. Move along, we're a hedge.[4] [2] I would only consider two of the tools you mentioned as belonging to that category. [3] No way is this plug getting past Paul if I mention the company. :D [4] Nobody will get this comic reference, but that's OK. Ninjas. They're wacky. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- VA vs PT tool SimonChan (Jun 13)
- RE: VA vs PT tool Ben Nagy (Jun 13)
- Re: VA vs PT tool Gregory Austin (Jun 16)
- Re: VA vs PT tool Ivan Arce (Jun 22)
- <Possible follow-ups>
- Re: VA vs PT tool Gregory Austin (Jun 15)
- Re: VA vs PT tool Cat Okita (Jun 15)