Security Basics mailing list archives
RE: Evaluating the security level of a firewall
From: "Roger Bou-Aoun" <roger.bouaoun () ndu edu lb>
Date: Wed, 28 May 2003 07:57:23 +0200
Dear Yannick, Both ways are valid, depending on each party point of view, however, in order to configure a firewall, you should attend training, and follow the security policy of the organization where the Internetwork connection is involved, and the same applied for procedures, another suggestion is to subscribe for the vendor mailing list and keep your self up to date, in case a vulnerability Is found, or new releases/patches. However, a firewall alone is not enough in order to protect your servers or the organization, everything is related to layers, and this approach is the best one. Not to mention the support of the upper management, and Information security auditing, what most of the firms would do is either hire an auditing company (usually big five) and come to audit the system, a good approach for security could be either the BS7799-2:2002, COBIT, NIST... The other thing to do is trying to run a risk assessment either from the inside (LAN) or the WAN, there are companies specialized in doing this. You should take into consideration the type of firewall that is being used, because you can not expect a packet filtering firewall to protect the application layer, neither state full packet inspection. In case of the Installation of Intrusion Detection System, depending on the configuration it might write rules on the firewall, and in some cases you wont like the result (depending on the configuration and the brand name of the IDS), it might block all the incoming and outgoing traffic though the firewall. Kind Regards __________________________________________________ Division of Computing Services Roger Bou-Aoun, Head Information Security & Internetworking Department Notre Dame University Tel: 961-9-218-950 ext 2266 e-mail: roger.bouaoun () ndu edu lb -----Original Message----- From: yannick'san [mailto:yannicksan () free fr] Sent: Saturday, May 24, 2003 5:25 PM To: security-basics () securityfocus com Subject: Evaluating the security level of a firewall Hello folks, Well, a couple of days ago, I had a strong discussion with friends about how to regularly evaluate the security level of a firewall. First of all, everybody agreed that we can't install/configure a firewall and then sleep and consider that everything behind it is in a secure area . In any security approach we have to think about the "life cycle" of the firewall. thus, security managers has to plan for a recursive process for regularly looking for its state and the vulnerabilities which could have came out on it. In fact, our discussion became very strong when we started to talk about the methods we were using for. They told me that they were only evaluating the security level by regularly launching tools (like nessus) against their firewall. So, somewhere in a procedure it was clearly written a sentance like this one : "We considere (today) that the firewall and its configuration is secure according to the results given by nessus."... and that's all. It seems that I was the only one to considere that we could not only evaluate a security level regarding to the results given by this tool but we also had to look for vulnerabilities in CERTS or CVE. In case of a 0-vulnerability result, the tools will let us think that the security level is good while in fact it is completly wrong. I considered that it was a wrong way of thinking and told them that my sentance will have been : "We considere (today) that the firewall and its configuration is secure according to the results given both by a search on CVE or CERTS databases and the actual configuration and last update. Nessus (or other tools) are used to improve our view but are not considered as sufficient." I've been told that looking for CVE or CERTS vulnerabilities takes too long time for a lonely security manager who both has to deal with a lot of equipments and other security stuffs. They said nessus give them a good security view and without any security organisation to help them, the task is too hard. I answered that if a security manager can't take the time to check for vulnerabilities in specific databases, he must write somewhere the reasons and the security consequences of his choice. Reason and security consequences of just using tools like nessus. Our discussion about this subject has covered subjects like process, procedures, methods, risk analysis (especialy identification of the threats), security management,..., but finaly I was told that most of companies do like them and my approach was not used. I would to know your point of view, your experiences, for exemple : do you only use nessus (or anything else) and considere the results as valuable ?? Any comments (flame or not) is welcome :) Thanks in advance. -Yannick ------------------------------------------------------------------------ --- Thinking About Security Training? You Can't Afford Not To! Vigilar's industry leading curriculum includes: Security +, Check Point, Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now! --UP TO 30% off classes in select cities-- http://www.securityfocus.com/Vigilar-security-basics ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Evaluating the security level of a firewall yannick'san (May 26)
- Re: Evaluating the security level of a firewall James Fields (May 27)
- Re: Evaluating the security level of a firewall Meritt James (May 28)
- Re: Evaluating the security level of a firewall James Taylor (May 27)
- RE: Evaluating the security level of a firewall Roger Bou-Aoun (May 29)
- Re: Evaluating the security level of a firewall James Fields (May 27)