Penetration Testing mailing list archives

Re: Pentesting Old unsupported Firewall Appliances

From: "Security Guy" <security () sligoinc com>
Date: Wed, 13 Jun 2007 09:38:44 -0400

On 6/11/07, Harold Castro <b0ydaem0n () yahoo com> wrote:

Hi,

I'm new in pen testing.
Recently, I came across this firewall appliance
running Apache/1.3.26
(Unix) mod_dtcl mod_ssl/2.8.10 OpenSSL/0.9.7 during an
external pentest.


Eeew.


1. First, find out what is the firmware version of
that machine.


See below

2. Then find out if the apache version on that
particular firmware really had a security issues
confirmed by the manufacturer and if there
were any patches provided to address such issues. For
this, I have to obtain the CHANGES logs, patches
documentations etc. But the problem is
this is not like an open source thing where you have
access to everything.


Even with open source, how many people actually LOOK at the code, much
less try to fix it.


This creates a problem. How do you go about it??
Should I just mention in the report that, "this
particular host contains several high risk
vulnerabilities and poses a significant risk. However,
if you have applied the patches or did a firmware
upgrade then you don't have to worry anymore."


Haha, if that were the case I would close-up shop and never work
again! Even with supported products, just "applying the patches ...
and don't have to worry anymore" is not a good strategy.


And one more thing, if their appliance is no longer
supported by the manufacturer, do you give a
replacement suggestion in your report?


Yes. Recommend a supported product


If all else fails, do you tell the customer that it is
safe to ignore those warnings and vulnerabilities
because you, on a hacker's perspective, was not able
to penetrate the network by making use of those
vulnerabilities found, that the hacker might have a
hard time as well and eventually opt for another
target?


Good lord, no. Remember that a PenTest does not prove the negative!
Just because YOU can't get in to their network does not mean that a
skilled hacker could not write a 0day to get through the firewall.

My suggestion: mention that you don't really have enough information
to make a good recommendation on the box, get access to it, evaluate
the configuration and get some hard info on the box itself, maybe even
who the manufacturer really is.

-Karl

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------

Current thread:

Pentesting Old unsupported Firewall Appliances Harold Castro (Jun 11)
- Re: Pentesting Old unsupported Firewall Appliances Jamie Riden (Jun 15)
  - RE: Pentesting Old unsupported Firewall Appliances Clemens, Dan (Jun 15)
- Re: Pentesting Old unsupported Firewall Appliances Tiago Batista (Jun 15)
  - Firewall Leak Testing Was Re: Pentesting Old unsupported Firewall Appliances mOses (Jun 15)
    - Re: Firewall Leak Testing Was Re: Pentesting Old unsupported Firewall Appliances Michael Painter (Jun 21)
- Re: Pentesting Old unsupported Firewall Appliances Security Guy (Jun 15)
- Re: Pentesting Old unsupported Firewall Appliances vtlists (Jun 15)
- <Possible follow-ups>
- RE: Pentesting Old unsupported Firewall Appliances Michael Scheidell (Jun 15)