RE: Proxy 2.0 secure?

["David Newman" <dnewman () cmp com>]

Shane,

I agree that our security testing could be more stringent--as could
everyone else's. But there are a couple of pieces of misinformation in your
message:

1. NSTL uses a variety of scanners (including Ballista), IDS products, and
its own custom-developed software in testing security. We used only ISS
Safesuite *in this instance.* We can argue about the merits of that
decision, but as a point of fact the article did not suggest other tools
were used.

I fully agree that scanners' reports are only a starting point. Safesuite
returned a number of false positives (as has been the case with every
scanner I've used, BTW). SCC and all other vendors were given complete test
results before publication. Several vendors demonstrated to us that
"vulnerabilities" flagged by ISS were in fact false positives, and we did
not report a vulnerability in these instances.

2. Your statement that "when doing performance testing, NSTL did not
require any security measures to be enabled" is false.

In case you no longer have the test plan sent to SCC before this test, let
me remind you that performance testing required vendors to configure their
devices to enforce a specific rule set allowing only a few services and
also requiring that network address translation be enabled. This rule set
differed from the security testing scenario because of our need to use
switches in front of the traffic generators to fully load the test bed, but
it was no more and no less secure. It was different, that's all.

All performance measurements for all products were taken with this same
configuration. SPF products were generally faster than ALG proxies because
there's less processing involved (duh). This is a fact. I have no desire to
engage in yet another SPF-vs.-proxies debate; there are cases where proxies
deliver security features that SPF designs can't, and there situations
where SPF designs make more sense. As the article noted, each type of
product is beginning to adopt features of the other.

dn




ICMan <shane () tor securecomputing com> on 07/03/98 07:38:22 PM

Please respond to "shane () tor securecomputing com"
      <shane () tor securecomputing com>

To:   David Newman/NYC/CMPNotes
cc:   "'firewall-wizards () nfr net'" <firewall-wizards () nfr net>
Subject:  RE: Proxy 2.0 secure?




Just so you know, early this year I was at a Firewall "Pen Testathon" at
NSTL that was performed for DataCommunications Mag, and they only used ISS
5.0 for the test.  They did not appear to have any other tools.  [I would
like to point out that many tools give false positives, and you must be
wary.  For example, ISS checks for servers on the Firewall.  If they are
there, they give a warning.  Also, if there is a ALG proxy on the port,
doing proxy redirection, ISS reported a server on the Firewall, even though
there was no server at the end of the redirected proxy.  ISS never checked
for the presense of a server by sending commands.  It got a connection on a
known port (in this case 119, indicating NNTP) and stated boldly that there
was a news server there.  Personally, I think that such tools are only good
to give an indication where you should start hacking by hand.]

Also, you should note that, when doing performance testing, NSTL did not
require any security measures to be enabled.  The SPF firewalls did great.
 The vendors tuned them into little better than software routers for that
phase of the testing.  ALGs had reduced performance because ALG proxying,
and therefore highly secure access, cannot be disabled.  I thought that it
would be more appropriate for the Firewalls to be in the same highly secure
mode used for the Pen Test.  That would give more realistic "Firewall"
performance figures.

Don't believe everything you read.

ICMan

-----Original Message-----
From:     David Newman [SMTP:dnewman () cmp com]
Sent:     Thursday, 02 July, 1998 11:44 PM
To:  tqbf () pobox com
Cc:  firewall-wizards () nfr net
Subject:  Re: Proxy 2.0 secure?


Glass houses, Mr. Ptacek. You're ascribing conclusions to the article that
just aren't there. The text cautioned *against* concluding that devices
were secure simply because they didn't barf when we hit them with a finite
number of attacks.  I have no desire to get into a pissing match with you
about this, but you're making up conclusions we were careful to avoid, and
we even cautioned our audience against reading too much into our findings.
You need to be more careful with *your* wording.

I noted earlier in this thread that this isn't an issue of ISS's tools or
yours (or ours, for that matter; NSTL, which conducts most of Data Comm's
security testing, has its own attack tools as well). As I said earlier, it
doesn't really matter whose tool we use to generate ping of death, land,
teardrop2, boink, and the like; the target machines fail the same way.

dn







tqbf () pobox com on 07/02/98 09:17:24 PM

Please respond to tqbf () pobox com

To:   David Newman/NYC/CMPNotes
cc:   tqbf () pobox com, firewall-wizards () nfr net
Subject:  Re: Proxy 2.0 secure?




> I'm sorry you're attacking me, for we are actually in violent agreement

It is not my intention to attack you; I simply have problems with the
manner in which conclusions appear to have been reached in an article you
wrote.

> you that running a finite, known set of attacks against a properly
> configured device does *not* mean a device is secure.

You should be more careful with your wording. Running a finite number of
exploits or attack signature generators against a device does not mean
that a device is secure, in general or from the underlying vulnerabilities
exploited/assessed by your attack tools.

> Also, a clarification: ISS Safesuite has multiple modules, including one
> that is intended for use against *firewalls,* not end-systems. It was
this

NetSonar and CyberCop Scanner also have firewall testing modules (CCS
focusses on firewalls and routers) --- but I wouldn't rely on metrics from
either product to make conclusions about the security of a firewall
product. Apparently you agree, and I'm misunderstanding you, but I would
like to clarify the fact that this isn't an ISS vs. NAI issue (I think ISS
would agree with my logic here).

---------------------------------------------------------------------------
--
Thomas H. Ptacek                       SNI Labs, Network Associates, Inc.
---------------------------------------------------------------------------
--
http://www.pobox.com/~tqbf     "If you're so special, why aren't you dead?"