Penetration Testing mailing list archives
Re: Pentesting Old unsupported Firewall Appliances
From: "Security Guy" <security () sligoinc com>
Date: Wed, 13 Jun 2007 09:38:44 -0400
On 6/11/07, Harold Castro <b0ydaem0n () yahoo com> wrote:
Hi, I'm new in pen testing. Recently, I came across this firewall appliance running Apache/1.3.26 (Unix) mod_dtcl mod_ssl/2.8.10 OpenSSL/0.9.7 during an external pentest.
Eeew.
1. First, find out what is the firmware version of that machine.
See below
2. Then find out if the apache version on that particular firmware really had a security issues confirmed by the manufacturer and if there were any patches provided to address such issues. For this, I have to obtain the CHANGES logs, patches documentations etc. But the problem is this is not like an open source thing where you have access to everything.
Even with open source, how many people actually LOOK at the code, much less try to fix it.
This creates a problem. How do you go about it?? Should I just mention in the report that, "this particular host contains several high risk vulnerabilities and poses a significant risk. However, if you have applied the patches or did a firmware upgrade then you don't have to worry anymore."
Haha, if that were the case I would close-up shop and never work again! Even with supported products, just "applying the patches ... and don't have to worry anymore" is not a good strategy.
And one more thing, if their appliance is no longer supported by the manufacturer, do you give a replacement suggestion in your report?
Yes. Recommend a supported product
If all else fails, do you tell the customer that it is safe to ignore those warnings and vulnerabilities because you, on a hacker's perspective, was not able to penetrate the network by making use of those vulnerabilities found, that the hacker might have a hard time as well and eventually opt for another target?
Good lord, no. Remember that a PenTest does not prove the negative! Just because YOU can't get in to their network does not mean that a skilled hacker could not write a 0day to get through the firewall. My suggestion: mention that you don't really have enough information to make a good recommendation on the box, get access to it, evaluate the configuration and get some hard info on the box itself, maybe even who the manufacturer really is. -Karl ------------------------------------------------------------------------ This List Sponsored by: Cenzic Are you using SPI, Watchfire or WhiteHat? Consider getting clear vision with Cenzic See HOW Now with our 20/20 program! http://www.cenzic.com/c/2020 ------------------------------------------------------------------------
Current thread:
- Pentesting Old unsupported Firewall Appliances Harold Castro (Jun 11)
- Re: Pentesting Old unsupported Firewall Appliances Jamie Riden (Jun 15)
- RE: Pentesting Old unsupported Firewall Appliances Clemens, Dan (Jun 15)
- Re: Pentesting Old unsupported Firewall Appliances Tiago Batista (Jun 15)
- Firewall Leak Testing Was Re: Pentesting Old unsupported Firewall Appliances mOses (Jun 15)
- Re: Firewall Leak Testing Was Re: Pentesting Old unsupported Firewall Appliances Michael Painter (Jun 21)
- Firewall Leak Testing Was Re: Pentesting Old unsupported Firewall Appliances mOses (Jun 15)
- Re: Pentesting Old unsupported Firewall Appliances Security Guy (Jun 15)
- Re: Pentesting Old unsupported Firewall Appliances vtlists (Jun 15)
- <Possible follow-ups>
- RE: Pentesting Old unsupported Firewall Appliances Michael Scheidell (Jun 15)
- Re: Pentesting Old unsupported Firewall Appliances Jamie Riden (Jun 15)