Firewall Wizards mailing list archives
RE: Proxy 2.0 secure?
From: "David Newman" <dnewman () cmp com>
Date: Fri, 3 Jul 1998 23:19:51 -0400
Shane, I agree that our security testing could be more stringent--as could everyone else's. But there are a couple of pieces of misinformation in your message: 1. NSTL uses a variety of scanners (including Ballista), IDS products, and its own custom-developed software in testing security. We used only ISS Safesuite *in this instance.* We can argue about the merits of that decision, but as a point of fact the article did not suggest other tools were used. I fully agree that scanners' reports are only a starting point. Safesuite returned a number of false positives (as has been the case with every scanner I've used, BTW). SCC and all other vendors were given complete test results before publication. Several vendors demonstrated to us that "vulnerabilities" flagged by ISS were in fact false positives, and we did not report a vulnerability in these instances. 2. Your statement that "when doing performance testing, NSTL did not require any security measures to be enabled" is false. In case you no longer have the test plan sent to SCC before this test, let me remind you that performance testing required vendors to configure their devices to enforce a specific rule set allowing only a few services and also requiring that network address translation be enabled. This rule set differed from the security testing scenario because of our need to use switches in front of the traffic generators to fully load the test bed, but it was no more and no less secure. It was different, that's all. All performance measurements for all products were taken with this same configuration. SPF products were generally faster than ALG proxies because there's less processing involved (duh). This is a fact. I have no desire to engage in yet another SPF-vs.-proxies debate; there are cases where proxies deliver security features that SPF designs can't, and there situations where SPF designs make more sense. As the article noted, each type of product is beginning to adopt features of the other. dn ICMan <shane () tor securecomputing com> on 07/03/98 07:38:22 PM Please respond to "shane () tor securecomputing com" <shane () tor securecomputing com> To: David Newman/NYC/CMPNotes cc: "'firewall-wizards () nfr net'" <firewall-wizards () nfr net> Subject: RE: Proxy 2.0 secure? Just so you know, early this year I was at a Firewall "Pen Testathon" at NSTL that was performed for DataCommunications Mag, and they only used ISS 5.0 for the test. They did not appear to have any other tools. [I would like to point out that many tools give false positives, and you must be wary. For example, ISS checks for servers on the Firewall. If they are there, they give a warning. Also, if there is a ALG proxy on the port, doing proxy redirection, ISS reported a server on the Firewall, even though there was no server at the end of the redirected proxy. ISS never checked for the presense of a server by sending commands. It got a connection on a known port (in this case 119, indicating NNTP) and stated boldly that there was a news server there. Personally, I think that such tools are only good to give an indication where you should start hacking by hand.] Also, you should note that, when doing performance testing, NSTL did not require any security measures to be enabled. The SPF firewalls did great. The vendors tuned them into little better than software routers for that phase of the testing. ALGs had reduced performance because ALG proxying, and therefore highly secure access, cannot be disabled. I thought that it would be more appropriate for the Firewalls to be in the same highly secure mode used for the Pen Test. That would give more realistic "Firewall" performance figures. Don't believe everything you read. ICMan -----Original Message----- From: David Newman [SMTP:dnewman () cmp com] Sent: Thursday, 02 July, 1998 11:44 PM To: tqbf () pobox com Cc: firewall-wizards () nfr net Subject: Re: Proxy 2.0 secure? Glass houses, Mr. Ptacek. You're ascribing conclusions to the article that just aren't there. The text cautioned *against* concluding that devices were secure simply because they didn't barf when we hit them with a finite number of attacks. I have no desire to get into a pissing match with you about this, but you're making up conclusions we were careful to avoid, and we even cautioned our audience against reading too much into our findings. You need to be more careful with *your* wording. I noted earlier in this thread that this isn't an issue of ISS's tools or yours (or ours, for that matter; NSTL, which conducts most of Data Comm's security testing, has its own attack tools as well). As I said earlier, it doesn't really matter whose tool we use to generate ping of death, land, teardrop2, boink, and the like; the target machines fail the same way. dn tqbf () pobox com on 07/02/98 09:17:24 PM Please respond to tqbf () pobox com To: David Newman/NYC/CMPNotes cc: tqbf () pobox com, firewall-wizards () nfr net Subject: Re: Proxy 2.0 secure?
I'm sorry you're attacking me, for we are actually in violent agreement
It is not my intention to attack you; I simply have problems with the manner in which conclusions appear to have been reached in an article you wrote.
you that running a finite, known set of attacks against a properly configured device does *not* mean a device is secure.
You should be more careful with your wording. Running a finite number of exploits or attack signature generators against a device does not mean that a device is secure, in general or from the underlying vulnerabilities exploited/assessed by your attack tools.
Also, a clarification: ISS Safesuite has multiple modules, including one that is intended for use against *firewalls,* not end-systems. It was
this NetSonar and CyberCop Scanner also have firewall testing modules (CCS focusses on firewalls and routers) --- but I wouldn't rely on metrics from either product to make conclusions about the security of a firewall product. Apparently you agree, and I'm misunderstanding you, but I would like to clarify the fact that this isn't an ISS vs. NAI issue (I think ISS would agree with my logic here). --------------------------------------------------------------------------- -- Thomas H. Ptacek SNI Labs, Network Associates, Inc. --------------------------------------------------------------------------- -- http://www.pobox.com/~tqbf "If you're so special, why aren't you dead?"
Current thread:
- Re: Proxy 2.0 secure? Brian Steele (Jul 01)
- <Possible follow-ups>
- Re: Proxy 2.0 secure? David Newman (Jul 01)
- Re: Proxy 2.0 secure? tqbf (Jul 03)
- Re: Proxy 2.0 secure? John McDermott (Jul 01)
- Re: Proxy 2.0 secure? Brian Steele (Jul 02)
- Re: Proxy 2.0 secure? David Newman (Jul 03)
- RE: Proxy 2.0 secure? ICMan (Jul 07)
- RE: Proxy 2.0 secure? David Newman (Jul 07)