Firewall Wizards mailing list archives
Re: Penetration testing via shrinkware
From: "Paul D. Robertson" <proberts () clark net>
Date: Sat, 19 Sep 1998 23:19:58 -0400 (EDT)
On Fri, 18 Sep 1998, John McDermott wrote:
By the same token, how can firewall testing be accomplished? Let us assume bug B. If there is no scanner for bug B because it is unknown until time T, then how can a firewall be certified at time <T that it protects itself and an internal network from bug B? That is, testing goes hand-in-hand with firewall certification, as I see it. If a firewall is certified to be correct wrt all known bugs on 1Sep98, how can it be guaranteed to be correct wrt some bug developed 10 September? It seems to me that certification of firewalls and scanners needs to be explicitly "as of date xx/xx/xxxx" and that all bets are off after that.
This assumes that you either can't model the vulnerabilities, or that you're only testing via scanner. While it isn't 100% foolproof, there's a lot to be learned from a B2 evaluation. Security modeling, code walk-throughs, secure development methodologies, they all have their place if you're going to build assurance. "After-the-fact" testing is always _much_ more blind than during "construction" testing. Just as crystal boxes tend to be better than black boxes in that regard. If you go over the code in the IP stack for fragment handling, and you know for certain how fragments should be handled, then you can probably get a high assurance that they're handled correctly. If you throw lots of fragments for lots of protocols at it, and your test doesn't encompass overlapping fragments, your level of assurance is lower. Hopefully, when they build a skyscraper or overpass they don't wait until the thing is done to look at the structural integrity. History in secure development is a good checkbox for me when I choose vendors. I wouldn't choose a structural engineer based on the fact that they'd painted houses pretty colors for years. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () clark net which may have no basis whatsoever in fact." PSB#9280
Current thread:
- Re: Penetration testing via shrinkware, (continued)
- Re: Penetration testing via shrinkware Vanja Hrustic (Sep 03)
- Re: Penetration testing via shrinkware Bill_Royds (Sep 03)
- RE: Penetration testing via shrinkware Stout, Bill (Sep 06)
- RE: Penetration testing via shrinkware Gary Crumrine (Sep 06)
- Re: penetration testing via shrinkware Arve Kjoelen (Sep 08)
- Re: Penetration testing via shrinkware Ryan Russell (Sep 19)
- Re: Penetration testing via shrinkware John McDermott (Sep 19)
- Re: Penetration testing via shrinkware Crispin Cowan (Sep 19)
- Re: Penetration testing via shrinkware Paul D. Robertson (Sep 20)
- Re: Penetration testing via shrinkware John McDermott (Sep 19)
- Re: Penetration testing via shrinkware Paul D. Robertson (Sep 20)
- Re: Penetration testing via shrinkware Marcus J. Ranum (Sep 21)
- Re: Penetration testing via shrinkware Paul D. Robertson (Sep 21)
- Re: Penetration testing via shrinkware Ted Doty (Sep 21)
- Re: Penetration testing via shrinkware Paul D. Robertson (Sep 21)
- Re: Penetration testing via shrinkware Darren Reed (Sep 22)
- Re: Penetration testing via shrinkware Ted Doty (Sep 22)
- Re: Penetration testing via shrinkware Paul D. Robertson (Sep 20)
- Re: Penetration testing via shrinkware Joseph S. D. Yao (Sep 22)
- Re: Penetration testing via shrinkware Stephen P. Berry (Sep 24)
- Re: Penetration testing via shrinkware tqbf (Sep 21)