Firewall Wizards mailing list archives
Re: Firewall Audit Programme/checklist
From: Bret Watson <lists () bwa net>
Date: Sat, 17 Jan 1998 21:56:14
Marcus,
I do a lot of training for a "big six" firm and an audit checklist is a fairly common request. I haven't ever given one to anyone, because I don't have one. If you know what you're doing when you audit a firewall, you don't need a checklist. If you don't know
Agreed - Why are we looking at this? - one having a checklist means that we
could use a stooge to collect particular data - not my idea, but I suspect
the local C&L would like this - saves on paying for me :{
The real reason is this - if you have a structured framework and a series
of 'checklists/tests' for a range of problems - then you begin to provide
some form of structure to the whoel thing - it will help those new to the
game have _some_ idea of what they really should be doing - there are more
than a few that beleive that if they cannot hack into it it is OK -
otherwise the way they hacked in is the vulnerability - sad but true...
Now, obviously, that's not going to make a lot of sense on a Checkpoint, or a Firewall/Plus, etc. Someone who was using this checklist would either look stupid or would have to know enough about what they're doing to not need it in the first place. :)
Certainly - I find that even on all the varying forms of FW/Unix - there is
still a structure though - you can still manage to find the log files etc -
no matter where the manufacturer deems it useful to store them :{.
I feel that a checklist is better as a guide then as a bible - anyone doing
an audit 'by the book' is going to get caught out really fast in our
industry - if not be their employer, then by a hacker using something
different - same as the paper on IDS...
in the installed context. It takes a lot of expertise -- more than can be comfortably fit in a book or taught. Even if you did fit it on a checklist or in a book by the time you had it written down the rules would have changed. :(
doesn't it just, but hey its another windmill :}
that are basically undocumented. :( What you really want isn't a checklist, it's a flow-chart. A really BIG flow-chart that goes kind of like:
good idea - we might follow this one as well - thinking about it - its more like a diagnostic chart than anything - which is what we are doing when we audit really... Cheers, bret Technical Incursion Countermeasures consulting () bwa net http://www.ticm.com/ ph: (+61)(08) 9454 2487(UTC+8 hrs) fax: (+61)(08) 9454 6042 The Insider - a e'zine on Computer security http://www.ticm.com/about/insider.html
Current thread:
- NTp config - for the databases :}, (continued)
- NTp config - for the databases :} Bret Watson (Mar 12)
- Re: NTp config - for the databases :} Kees Hendrikse (Mar 12)
- Re: NTp config - for the databases :} Bret Watson (Mar 12)
- Re: NTp config - for the databases :} Kees Hendrikse (Mar 13)
- Re: NTp config - for the databases :} Bret Watson (Mar 13)
- Re: NTp config - for the databases :} Kees Hendrikse (Mar 12)
- Re: NTp config - for the databases :} Joseph S. D. Yao (Mar 13)
- Re: NTp config - for the databases :} John Painter (Mar 14)
- NTp config - for the databases :} Bret Watson (Mar 12)
- Firewall Audit Programme/checklist Bret Watson (Mar 16)
- Re: Firewall Audit Programme/checklist Marcus J. Ranum (Mar 16)
- Re: Firewall Audit Programme/checklist Chad Schieken (Mar 16)
- Re: Firewall Audit Programme/checklist Bret Watson (Mar 17)
- Re: Firewall Audit Programme/checklist Marcus J. Ranum (Mar 17)
- Re: Firewall Audit Programme/checklist blast (Mar 17)
- Re: Firewall Audit Programme/checklist tqbf (Mar 16)
- Re: Firewall Audit Programme/checklist kant (Mar 16)
- Re: DNS -vs- the firewall: security thoughts Bennett Todd (Mar 12)