Penetration Testing mailing list archives
RE: Nortel Security
From: Mike.Ruscher () CSE-CST GC CA
Date: Fri, 29 Jun 2001 18:06:22 -0400
A good place to start would be to examine the security modelling documentation for the device. There should be a statement of security objectives included as part of the engineering documentation. A security policy defined, based on the security objectives, outlining the proposed security features/services to be implemented will provide the details of the product's security behaviours that were to be implemented. This should be followed up with design specifications for each of the identified security mechanisms that comprise the totality of the security features/services required to realize the product's written security policy, along with a correspondence or mapping to the policy features/services, since there will likely be necessary sharing of many of the lower level security mechanisms functionality for code reduction and other practical considerations. Once you have a complete understanding of the product's security design, you will be in a good position to 'review' the product's security, or will have done so, more or less. You should also be able to locate the product's security features test planning documents and detailed testing results which validate the security design to a certain degree. Now, as an added bonus, you are is a perfect position to perform some of your own tests, for things like undocumented features, behaviours etc. that could compromise the security policy, unless of course this had been done thoroughly during product testing already. I'm sure I have left out a few other things that could be examined, or done, as part of this particular review exercise, since they are typically very context dependent, but not nearly as much as the dependency that the documentation actually exists, or that the product was designed with any adherence to standard security engineering principles. Good luck, mgr Mike Ruscher, ITS Specialist I2, CSE/CST mgruscher () cse-cst gc ca Phone: +1 613 991-8040 ED/C200 http://www.cse-cst.gc.ca
-----Original Message----- From: Thad Horak [mailto:thadhorak () yahoo com] Sent: Friday, June 29, 2001 11:45 AM To: pen-test () securityfocus com Subject: Nortel Security I've been asked to review the security of our Nor-tel Meridian PBX. I've searched Google & Yahoo and can't find to much to aid me in this. Can anyone point me to some good information on key things to audit/test? Thanks in advance. Thad __________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/ -------------------------------------------------------------- ------------------------ This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/ -------------------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Re: Nortel Security Jason Ellison (Jul 01)
- <Possible follow-ups>
- RE: Nortel Security Mike . Ruscher (Jul 01)
- Re: Nortel Security H D Moore (Jul 01)
- Re: Nortel Security Mark Rowe (Jul 10)
- Re: Nortel Security h0pper (Jul 02)