Re: Evaluating the security level of a firewall

["James Fields" <jvfields () tds net>]

It's not a matter of Nessus or any other tool being "good enough" - the
point goes back to what you friend said about being too busy.  I have a
limited number of hours per weeks.  I manage 8 firewalls, numerous IDS
sensors and maintain about 50 VPNs for my company.  I also am part of a team
responsible for managing our routers, switches, etc.  I do not have time to
research, on a regular basis, everything going on in the industry.

I've been told some companies hire security people who do nothing else - but
I've yet to work at such a place, and can't say what it would be like...

----- Original Message ----- 
From: "yannick'san" <yannicksan () free fr>
To: <security-basics () securityfocus com>
Sent: Saturday, May 24, 2003 11:24 AM
Subject: Evaluating the security level of a firewall


> Hello folks,
>
> Well, a couple of days ago, I had a strong discussion with friends about
how
> to regularly evaluate the security level of a firewall.
>
> First of all, everybody agreed that we can't install/configure a firewall
> and then sleep and consider that everything behind it is in a secure area
.
> In any security approach we have to think about the "life cycle" of the
> firewall. thus, security managers has to plan for a recursive process for
> regularly looking for its state and the vulnerabilities which could have
> came out on it.
> In fact, our discussion became very strong when we started to talk about
the
> methods we were using for. They told me that they were only evaluating the
> security level by regularly launching tools (like nessus) against their
> firewall. So, somewhere in a procedure it was clearly written a sentance
> like this one :
>
> "We considere (today) that the firewall and its configuration is secure
> according to the results given by nessus."... and that's all.
>
> It seems that I was the only one to considere that we could not only
> evaluate a security level regarding to the results given by this tool but
we
> also had to look for vulnerabilities in CERTS or CVE. In case of a
> 0-vulnerability result, the tools will let us think that the security
level
> is good while in fact it is completly wrong. I considered that it was a
> wrong way of thinking and told them that my sentance will have been :
>
> "We considere (today) that the firewall and its configuration is secure
> according to the results given both by a search on CVE or CERTS databases
> and the actual configuration and last update. Nessus (or other tools) are
> used to improve our view but are not considered as sufficient."
>
> I've been told that looking for CVE or CERTS vulnerabilities takes too
long
> time for a lonely security manager who both has to deal with a lot of
> equipments and other security stuffs. They said nessus give them a good
> security view and without any security organisation to help them, the task
> is too hard.
>
> I answered that if a security manager can't take the time to check for
> vulnerabilities in specific databases, he must write somewhere the reasons
> and the security consequences of his choice.  Reason and security
> consequences of just using tools like nessus. Our discussion about this
> subject has covered subjects like process, procedures, methods, risk
> analysis (especialy identification of the threats), security
management,...,
> but finaly I was told that most of companies do like them and my approach
> was not used.
>
> I would to know your point of view, your experiences, for exemple : do you
> only use nessus (or anything else) and considere the results as valuable
??
> Any comments (flame or not) is welcome :)
>
> Thanks in advance.
>
> -Yannick
>
>
> --------------------------------------------------------------------------
-
> Thinking About Security Training? You Can't Afford Not To!
>
> Vigilar's industry leading curriculum includes:  Security +, Check Point,
> Hacking & Assessment, Cisco Security, Wireless Security & more! Register
Now!
> --UP TO 30% off classes in select cities-- 
> http://www.securityfocus.com/Vigilar-security-basics
> --------------------------------------------------------------------------
--
>



---------------------------------------------------------------------------
----------------------------------------------------------------------------