Re: Evaluating the security level of a firewall

[James Taylor <james_n_taylor () yahoo com>]

Yannick,

I suppose the thing to bear in mind is that the company
directors and board are liable if there is a breach, so
ultimately the responsibility is with them to approve the
policy.

Part of all 'life-cycles' is the operations & maintenance
bit at the end. By limiting themselves to just testing with
nessus they are effectively 'clipping' the testing
parameters, making assumptions and closing out other
possible threats, including some of which are, of course,
non-technical. It's too true that people go to the trouble
of installing expensive security
hardware/software/training/consultancy, then cut corners by
not looking after it exposing themselves to attack by
closing their eyes. The maintenance bit is part of the cost
of the solution and should be built into the plan from the
outset.

If I was the security manager I would be doing everything
in my power to ensure that I was aware of all
vulnerabilities of my equipment, and would build these
tests/checks into the security administrators monthly
maintenance plan. It is just part of their role and
resource needs to be allocated as such. He/she sould make
management aware of resource shortfall (and may get a
bashing for not predicting it at implementation).

How long does it take to subscribe to the manufacturers
mailing list, search bugtraq/Certs/CVE against the name of
the protecting device/software and run any tests once a
month? 2-3 hours, perhaps? They will already be updating
the nessus database and keeping an an eye on the
OS/firewall patch levels. 

Present the options to senior management, explain the cost
and risks of *not* implementing/checking and let them
decide. If I were on the board, for the sake of peace of
mind, I would make sure there was resource available to
gather as much information about the solutions as possible.
In fact, it's probably part of the security manager’s job
description already.

Nessus is a very valuable tool, but only part of the
protection arsenal. It's difficult to comment on 'companies
like them', as normally the protection implemented depends
on the value of the data, and the cost of protecting it.
Who cares what other companies are doing anyway, it's not
their data you are protecting. Checking all possible
sources of information and using many available penetration
tools is, however, relatively cheap. Depending on the value
of the data, I would suggest that yearly penetration test
by an independent company would be of benefit and not
necessarily as cost-prohibitive as one may think.

What about "We undertake to test the firewall configuration
using all reasonable means currently available to the
company. From a technical perspective, this will include
ensuring that all patch levels and security parameters are
set to the manufacturer recommended levels, monthly testing
with de-facto vulnerability scanners (such as
nessus/xxx/xxx), extensive search of vulnerability lists
(such as CET/Bugtraq/xxx). From a non-technical perspective
we will employ strict change control, regular policy &
procedure re-evaluation and other administrative methods to
ensure our firewall policy is acceptable to the company. By
taking all reasonable steps freely available to us, we can
place a high level of confidence in the security mechanisms
in place at the time of examination"

Regards
James

--- yannick'san <yannicksan () free fr> wrote:
> Hello folks,
>
> Well, a couple of days ago, I had a strong discussion
> with friends about how
> to regularly evaluate the security level of a firewall.
>
> First of all, everybody agreed that we can't
> install/configure a firewall
> and then sleep and consider that everything behind it is
> in a secure area .
> In any security approach we have to think about the "life
> cycle" of the
> firewall. thus, security managers has to plan for a
> recursive process for
> regularly looking for its state and the vulnerabilities
> which could have
> came out on it.
> In fact, our discussion became very strong when we
> started to talk about the
> methods we were using for. They told me that they were
> only evaluating the
> security level by regularly launching tools (like nessus)
> against their
> firewall. So, somewhere in a procedure it was clearly
> written a sentance
> like this one :
>
> "We considere (today) that the firewall and its
> configuration is secure
> according to the results given by nessus."... and that's
> all.
>
> It seems that I was the only one to considere that we
> could not only
> evaluate a security level regarding to the results given
> by this tool but we
> also had to look for vulnerabilities in CERTS or CVE. In
> case of a
> 0-vulnerability result, the tools will let us think that
> the security level
> is good while in fact it is completly wrong. I considered
> that it was a
> wrong way of thinking and told them that my sentance will
> have been :
>
> "We considere (today) that the firewall and its
> configuration is secure
> according to the results given both by a search on CVE or
> CERTS databases
> and the actual configuration and last update. Nessus (or
> other tools) are
> used to improve our view but are not considered as
> sufficient."
>
> I've been told that looking for CVE or CERTS
> vulnerabilities takes too long
> time for a lonely security manager who both has to deal
> with a lot of
> equipments and other security stuffs. They said nessus
> give them a good
> security view and without any security organisation to
> help them, the task
> is too hard.
>
> I answered that if a security manager can't take the time
> to check for
> vulnerabilities in specific databases, he must write
> somewhere the reasons
> and the security consequences of his choice.  Reason and
> security
> consequences of just using tools like nessus. Our
> discussion about this
> subject has covered subjects like process, procedures,
> methods, risk
> analysis (especialy identification of the threats),
> security management,...,
> but finaly I was told that most of companies do like them
> and my approach
> was not used.
>
> I would to know your point of view, your experiences, for
> exemple : do you
> only use nessus (or anything else) and considere the
> results as valuable ??
> Any comments (flame or not) is welcome :)
>
> Thanks in advance.
>
> -Yannick
---------------------------------------------------------------------------
> Thinking About Security Training? You Can't Afford Not
> To!
>
> Vigilar's industry leading curriculum includes:  Security
> +, Check Point, 
> Hacking & Assessment, Cisco Security, Wireless Security &
> more! Register Now!
> --UP TO 30% off classes in select cities-- 
> http://www.securityfocus.com/Vigilar-security-basics
----------------------------------------------------------------------------
>


__________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
http://search.yahoo.com

---------------------------------------------------------------------------
----------------------------------------------------------------------------