Firewall Wizards mailing list archives
Re: I wonder, how to test..
From: "Kevin Sheldrake" <kev () electriccat co uk>
Date: Fri, 30 Jul 2004 15:32:45 +0100
In fact, I'd go further than that. If the auditors are the type to caveat all reports then it is likely that they will give you a statement of risk/threat/vulnerability/security/whatever for the period over which the test was run. Not changing anything in your setup implies not applying patches (as stated). Not applying patches will make your setup less secure as time goes by. It would be impossible for the auditors to predict the future vulnerabilities in your setup from the as-yet-undiscovered exploits. It is likely that such auditors will not make any claims about security/whatever for the future.
Of course, you can hire competent information security professionals who can devise an awareness/patching/updating/config-controlled policy so that you can at least know what needs patching, what's at risk, what patches are available, how to patch in a controlled fashion, etc.
Kev
The short answer would be "No". What you described, sounds "reasonableproof", but why should we believe you? ;) Even if you go through the wholeprocess of hiring some expensive auditors from the likes of Delloite and Touche all you can get, at best, is something saying that yes, you are assecure as possible for your type of organization (from their perspective). All these reports say that if you make any kind of change to the setup, the report is no longer valid (for example, applying a hotfix is a change). Youmay control the network infrastructure, but how about the code behind theapplications? SQL injection attacks may compromise an application regardlessof the how locked the web server is or if the SQL machine is in the DMZ. Also, how about DoS attacks?That being said, as a low cost tool, maby you can still install Linux on alaptop and perform network scans with scanners like Nessus. You can moveyour laptop to all the network segments that are part of the infrastructurethat you described and scan them for known vulnerabilities. Regards, Adrian Grigorof www.firegen.com Firewal log analyzers ----- Original Message ----- From: "Meindert Uitman" <meindert.uitman () avic nl> To: <firewall-wizards () honor icsalabs com> Sent: Thursday, July 29, 2004 10:33 AM Subject: [fw-wiz] I wonder, how to test..Hi list, As a regular reader of this list, and (amongst many other tasks) responsible for security at our company, I wonder. I've taken most measures to make our buisiness secure. It's all on a small scale, everything runs well, but every now and then the tiny hairs on the back of my head make me wonder how secure it all is. Yes, webservers are locked down, are in DMZ, only http permitted, SQL on inside via data layers, only nessesary ports between DMZ and inside; this production environment is colocated, office is connected via PIX to PIX vpn, restricted access to this vpn, etc. Are there any low cost means / tools out there to verify that what i have done so far is reasonable proof?_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
-- Kevin Sheldrake MEng MIEE CEng CISSP Electric Cat (Bournemouth) Ltd _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- I wonder, how to test.. Meindert Uitman (Jul 29)
- Re: I wonder, how to test.. Adrian Grigorof (Jul 30)
- Re: I wonder, how to test.. Kevin Sheldrake (Jul 30)
- Re: I wonder, how to test.. Martin Mačok (Jul 30)
- Re: I wonder, how to test.. Kevin Sheldrake (Jul 30)
- Re: I wonder, how to test.. Paul D. Robertson (Jul 30)
- Re: I wonder, how to test.. Kevin Sheldrake (Jul 30)
- Re: I wonder, how to test.. Adrian Grigorof (Jul 30)