Firewall Wizards mailing list archives
Re: Penetration testing via shrinkware
From: John McDermott <jjm () jkintl com>
Date: Sun, 20 Sep 98 16:51:37
--- On Sat, 19 Sep 1998 23:26:59 -0400 (EDT) "Paul D. Robertson" <proberts () clark net> wrote:
HTTP is an open-ended protocol specification with some _limitless_ size specifications, I submit that it is beyond "difficult" to verify correct functionality of a layer 5 transport protocol. Testing just buffer overflows on limitless length objects would seem to be less than an ideal situation.
Absolutly.
Proxies are much easier to verify than stateful filters under
No doubt about that.
the same circumstances, but once again, the source code is probably going to give you a much higher level of assurance that oversized objects are correctly handled unless you don't go look at the souce to the library routines as well, in which case you can either do that, or accept a lower level of assurance by banging against the calls with a substantial set of test data.
I do not disagree with this. My real concern is that you have to know what to look for. If the designers of the versions of the code which have "security holes" had known what to look for, they would have (hopefully!) done things correctly. My real concern is that the inspectors have to know what to look for. You are also making an assumption that I was not: that the tester has access to the source code. I doubt if I could go to vendor "X" and tell them that I want to verify the security of a firewall for my client and could I have a peek at the source. Maybe if my client were big enough I could, but for many of us that is not an option. Just out of curiousity does ICSA look at the source for certification?
Paul
--john -----------------End of Original Message----------------- ------------------------------------- Name: John McDermott VOICE: 505/377-6293 FAX 505/377-6313 E-mail: John McDermott <jjm () jkintl com> Writer and Computer Consultant -------------------------------------
Current thread:
- Re: Penetration testing via shrinkware, (continued)
- Re: Penetration testing via shrinkware Darren Reed (Sep 22)
- Re: Penetration testing via shrinkware Ted Doty (Sep 22)
- Re: Penetration testing via shrinkware Joseph S. D. Yao (Sep 22)
- Re: Penetration testing via shrinkware Stephen P. Berry (Sep 24)
- Re: Penetration testing via shrinkware tqbf (Sep 21)
- Re: Penetration testing via shrinkware Adam Shostack (Sep 20)
- Re: Penetration testing via shrinkware Crispin Cowan (Sep 20)
- Re: Penetration testing via shrinkware Marcus J. Ranum (Sep 20)
- Re: Penetration testing via shrinkware Joseph S. D. Yao (Sep 21)
- Re: Penetration testing via shrinkware tqbf (Sep 21)
- Re: Penetration testing via shrinkware Paul D. Robertson (Sep 20)
- Re: Penetration testing via shrinkware Marcus J. Ranum (Sep 20)
- Re: Penetration testing via shrinkware Christopher Nicholls (Sep 21)
- Re: Penetration testing via shrinkware Marcus J. Ranum (Sep 21)
- Re: Penetration testing via shrinkware Christopher Nicholls (Sep 23)
- Re: Penetration testing via shrinkware Marcus J. Ranum (Sep 23)
- Re: Penetration testing via shrinkware Ted Doty (Sep 24)