Re: Proxy 2.0 secure?

["Brian Steele" <steele_b () spiceisle com>]

> Real-world testing is *not* running a scanner against
> firewall/unix/whatever. Can Safesuite tell you if ns.nasa.gov has a
> username 'test' with password 'nasa'? Of course not, but in 'real world',
> you *could* try that as well. In 'real world', you can have 20.000$
> firewall on internet 'side', but you also can have small, forgotten unix
> machine connected to x.25 with test/test account, in example... Plenty of
> other 'real-world' examples.

The test covers the security performance of NT-based firewall systems in the
ideal security environment, I agree.  The test do not show how that could be
expected to perform security-wise if you were moronic enough to leave gaping
holes in your access mechanism via test accounts, alternate access paths and
the like.

But should they?

I think we may be mixing up the testing of an application's security control
mechanisms with a company's security implementation utilizing that
application. Or looking at it from another direction, if someone implements
MSP 2.0 and then removes all packet filtering, is this security hole the
fault of MSP 2.0 or the sysadmin who removed the filters?


Brian Steele