Firewall Wizards mailing list archives

Re: I wonder, how to test..

From: "Adrian Grigorof" <adrian () grigorof com>
Date: Fri, 30 Jul 2004 00:51:16 -0400

The short answer would be "No". What you described, sounds "reasonable
proof", but why should we believe you? ;) Even if you go through the whole
process of hiring some expensive auditors from the likes of Delloite and
Touche all you can get, at best, is something saying that yes, you are as
secure as possible for your type of organization (from their perspective).
All these reports say that if you make any kind of change to the setup, the
report is no longer valid (for example, applying a hotfix is a change). You
may control the network infrastructure, but how about the code behind the
applications? SQL injection attacks may compromise an application regardless
of the how locked the web server is or if the SQL machine is in the DMZ.
Also, how about DoS attacks?
That being said, as a low cost tool, maby you can still install Linux on a
laptop and perform network scans with scanners like Nessus. You can move
your laptop to all the network segments that are part of the infrastructure
that you described and scan them for known vulnerabilities.

Regards,

Adrian Grigorof
www.firegen.com
Firewal log analyzers

----- Original Message ----- 
From: "Meindert Uitman" <meindert.uitman () avic nl>
To: <firewall-wizards () honor icsalabs com>
Sent: Thursday, July 29, 2004 10:33 AM
Subject: [fw-wiz] I wonder, how to test..

Hi list,
As a regular reader of this list, and (amongst many other tasks)
responsible for security at our company, I wonder. I've taken most
measures to make our buisiness secure. It's all on a small scale,
everything runs well, but every now and then the tiny hairs on the back
of my head make me wonder how secure it all is. Yes, webservers are
locked down, are in DMZ, only http permitted, SQL on inside via data
layers, only nessesary ports between DMZ and inside; this production
environment is colocated, office is connected via PIX to PIX vpn,
restricted access to this vpn, etc.

Are there any low cost means / tools out there to verify that what i
have done so far is reasonable proof?


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

I wonder, how to test.. Meindert Uitman (Jul 29)
- Re: I wonder, how to test.. Adrian Grigorof (Jul 30)
  - Re: I wonder, how to test.. Kevin Sheldrake (Jul 30)
- Re: I wonder, how to test.. Martin Mačok (Jul 30)
- Re: I wonder, how to test.. Kevin Sheldrake (Jul 30)
- Re: I wonder, how to test.. Paul D. Robertson (Jul 30)
  - Re: I wonder, how to test.. Kevin Sheldrake (Jul 30)