Firewall Wizards mailing list archives

Re: Penetration testing via shrinkware

From: "Paul D. Robertson" <proberts () clark net>
Date: Sat, 19 Sep 1998 23:19:58 -0400 (EDT)

On Fri, 18 Sep 1998, John McDermott wrote:

By the same token, how can firewall testing be accomplished?  Let us assume 
bug B.  If there is no scanner for bug B because it is unknown until time 
T, then how can a firewall be certified at time <T that it protects itself 
and an internal network from bug B?  That is, testing goes hand-in-hand 
with firewall certification, as I see it.

If a firewall is certified to be correct wrt all known bugs on 1Sep98, how 
can it be guaranteed to be correct wrt some bug developed 10 September?  It 
seems to me that certification of firewalls and scanners needs to be 
explicitly "as of date xx/xx/xxxx" and that all bets are off after that.


This assumes that you either can't model the vulnerabilities, or that 
you're only testing via scanner.  While it isn't 100% foolproof, there's 
a lot to be learned from a B2 evaluation.  Security modeling, code 
walk-throughs, secure development methodologies, they all have their 
place if you're going to build assurance.  "After-the-fact" testing is 
always _much_ more blind than during "construction" testing.  Just as 
crystal boxes tend to be better than black boxes in that regard.  

If you go over the code in the IP stack for fragment handling, and you 
know for certain how fragments should be handled, then you can probably 
get a high assurance that they're handled correctly.  If you throw lots 
of fragments for lots of protocols at it, and your test doesn't encompass 
overlapping fragments, your level of assurance is lower.  

Hopefully, when they build a skyscraper or overpass they don't wait until 
the thing is done to look at the structural integrity.  

History in secure development is a good checkbox for me when I choose 
vendors.  I wouldn't choose a structural engineer based on the fact that 
they'd painted houses pretty colors for years.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () clark net      which may have no basis whatsoever in fact."
                                                                     PSB#9280

Current thread:

Re: Penetration testing via shrinkware, (continued)
- Re: Penetration testing via shrinkware Vanja Hrustic (Sep 03)
- Re: Penetration testing via shrinkware Bill_Royds (Sep 03)
- RE: Penetration testing via shrinkware Stout, Bill (Sep 06)
- RE: Penetration testing via shrinkware Gary Crumrine (Sep 06)
- Re: penetration testing via shrinkware Arve Kjoelen (Sep 08)
- Re: Penetration testing via shrinkware Ryan Russell (Sep 19)
- Re: Penetration testing via shrinkware John McDermott (Sep 19)
  - Re: Penetration testing via shrinkware Crispin Cowan (Sep 19)
  - Re: Penetration testing via shrinkware Paul D. Robertson (Sep 20)
- Re: Penetration testing via shrinkware John McDermott (Sep 19)
  - Re: Penetration testing via shrinkware Paul D. Robertson (Sep 20)
    - Re: Penetration testing via shrinkware Marcus J. Ranum (Sep 21)
    - Re: Penetration testing via shrinkware Paul D. Robertson (Sep 21)
    - Re: Penetration testing via shrinkware Ted Doty (Sep 21)
    - Re: Penetration testing via shrinkware Paul D. Robertson (Sep 21)
    - Re: Penetration testing via shrinkware Darren Reed (Sep 22)
    - Re: Penetration testing via shrinkware Ted Doty (Sep 22)
    - Re: Penetration testing via shrinkware Joseph S. D. Yao (Sep 22)
    - Re: Penetration testing via shrinkware Stephen P. Berry (Sep 24)
    - Re: Penetration testing via shrinkware tqbf (Sep 21)
  - Re: Penetration testing via shrinkware Adam Shostack (Sep 20)

(Thread continues...)