Re: Requirements for IPv6 Firewalls

[Peter Kristolaitis <alter3d () alter3d ca>]

On 4/18/2014 11:29 PM, Jeff Kell wrote:
> Anyone ever pentested you? It's an enlightening experience. Jeff 

At a previous job, we hired a company (with CISSP-certified pentesters) 
to do a black box pentest of our network.

Things I was "enlightened" by:

- It's OK to work in a highly technical field with no technical 
background.  The pentester they sent couldn't get Backtrack running on 
the machine we had provided to him because the onboard video didn't 
support 32-bit color under Linux (IIRC, a P4-era Dell desktop).  The 
concept of reading log files to find out what was wrong was completely 
foreign to him, as was the required 1-line fix in the X11 config.

- It's OK to not report a horribly insecure box to the client if you're 
stupid or lazy.  We had set up a honeypot box on our network to see if 
the pentester would find it, and despite tons of log evidence showing 
that he both found the box and the weak services... no mention of it was 
made on the report submitted to us.  Needless to say, this made the 
entire report suspect, and my boss had great pleasure in yelling at the 
vendor when I brought it to her attention.

- It's OK to not know anything at all about the tools you're using to do 
the job.  The pentester called us because he was getting "weird nmap 
results" and couldn't grok them (and insisted that we had given him the 
wrong IP addresses).  The reason?  A firewall that dropped unwanted 
traffic.  Seriously.  CISSP certified and he couldn't figure out how to 
detect firewalls that have a default-drop policy.

- It's OK to rely only on automated tools and blindly trust their 
output.   No attempts at targeted attacks were made, despite being 
specifically asked and authorized to do destructive testing against our 
test servers.  We KNEW from our own testing that there were some SQL 
injection and buffer overflow holes there (again, some even placed on 
purpose to see what he'd find), and his automated tools didn't find them 
so he assumed everything was fine.

And that's just SOME of the stuff from that particular experience. 
Enlightening?  Yes.  I now do my own pentesting, because I'd rather not 
waste $20K+ on a report of questionable quality done by someone who may 
or may not know how to run nmap, let alone more technical 
application-level attacks.

There are undoubtedly some good pen-testers out there that are worth 
every dime they charge.  However, like every other technical speciality, 
there are a LOT of really, really, really terrible practitioners.    
Shelling out big money to hopefully find the former in a field of mostly 
the latter is bound to be an exercise in both frustration and misspent 
resources.