Re: Proxy 2.0 secure?

["David Newman" <dnewman () cmp com>]

Thomas,

I'm sorry you're attacking me, for we are actually in violent agreement
here. Let me remind you that I came in on this thread by *agreeing* with
you that running a finite, known set of attacks against a properly
configured device does *not* mean a device is secure.

Also, a clarification: ISS Safesuite has multiple modules, including one
that is intended for use against *firewalls,* not end-systems. It was this
firewall-specific module we used in our testing.  I have no interest in ISS
Safesuite, nor have I ever represented it as encompassing the universe of
attacks a firewall would face.

dn






tqbf () pobox com on 06/30/98 05:04:20 AM

Please respond to tqbf () pobox com

To:   David Newman/NYC/CMPNotes
cc:   tqbf () pobox com, firewall-wizards () nfr net
Subject:  Re: Proxy 2.0 secure?




> The article made clear that we did not in any way certify products as
> "secure," whatever that means. Our tests evaluated only whether properly

You stated that your methodology would not account for misconfiguration or
new attacks. I am stating that your methodology does not account for old
attacks, either, but rather only the specific incarnations of a specific
set of largely irrelevant (to a firewall) attacks generated by a network
testing tool designed to test end-systems and not firewalls. Your
disclaimer is thus seriously misleading.

> both very real problems, but beyond the scope of our test. I agree that
> scanners and IDS products are a good way of evaluating device
configuration
> (and I'm pleased to see you think IDS products are good for something ;-)

I do not think I-D is a good way of verifying device configuration; I
think that the use of I-D for config verification is seriously flawed.
Moreover, you did not use I-D tools in your test (or if you did, you
didn't document that in your article).

Additionally, I do not think IDS products based on passive network
analysis ("sniffing") are worth anything at all. I have no opinion about
any other form of I-D (and there are many others, some of which are
incarnated in very popular commercial packages); please do not
misunderstand this.

---------------------------------------------------------------------------
--
Thomas H. Ptacek                       SNI Labs, Network Associates, Inc.
---------------------------------------------------------------------------
--
http://www.pobox.com/~tqbf     "If you're so special, why aren't you dead?"