Re: Lab OS Choices

[Pete Herzog <lists () isecom org>]

Hi,

Over the last 6 years we have studied the differences of tests against 
various platforms of virtual and real systems.  This has led us to making 
the best possible test network we can for the OPST and OPSA certification 
exams.  What we have found is that there is a large difference between them 
on the network packet level but almost none on the application level 
(although various application tests do rely on the encapsulating protocol 
so YMMV).

What's most important is the the tester's machine is NOT virtual.  Because 
the low-level problems at packet level do multiply during testing multiple 
systems.  However for a complete lab set up, make sure your virtual systems 
are as close to the OS as possible- kernel level preferably, or else use 
the real thing directly on metal. If you will only be doing application 
tests, then it probably matters very little and go with your higher level 
virtual machines.

One final note, as Jerry mentions, make sure your network devices are real! 
 Don't try to virtualize networking because it is very complicated and 
will look very fake.  We tested virtual networks and virtual networking but 
such systems could not handle team traffic (low-to-medium traffic) without 
producing errors.  If you want to virtualize port forwards and simple hops, 
you can et away with that between low-level virtualized machines but don't 
try to duplicate anything else or else your error rate will compound and 
make your analysis practically worthless.

Sincerely,
-pete.


Shenk, Jerry A wrote:
> I've found a few tests that worked against virtual machines but did not
> work against real machines.  I agree, in most cases, there really is no
> difference.
>
> I also have some routers in my lab.  That way, I can set up egress
> filtering between the servers and the attackers in the lab.  That will
> help you get some realism about some things, particularly local exploits
> of machines inside the network (like an Exchange client attack).  I
> think that also increases your credibility when talking with
> clients...for example, "In the lab, we set up egress filtering...blah,
> blah, blah...and with the filtering enabled, the remote exploit of the
> Exchange client worked in that it crashed the client but it made it much
> more difficult to get to a command-prompt on that box."  That's not
> really part of the pen-test itself but the real goal of the pen-test is
> to make the network more secure and it definitely goes toward explaining
> to the client how to make their network more secure.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------