Firewall Wizards mailing list archives
Re: Penetration testing via shrinkware
From: "Ivan Arce,CORE SDI" <ivan () securenetworks com>
Date: Tue, 22 Sep 1998 16:09:58 -0600 (MDT)
On Sun, 20 Sep 1998, Adam Shostack wrote:
On Sun, Sep 20, 1998 at 06:47:08AM +1000, Christopher Nicholls wrote: | At 12:44 AM 18/09/98 -0700, Crispin Cowan wrote: | >tqbf () pobox com wrote: | >I beg to differ. A firewall can at least theoretically be verified: if | it is | >formally proven to enforce a policy of (say) allowing through traffic on | ports X | >and Y, and no others, then the firewall is verified. A scanner, on the other | >hand, can never be verified, because the potential list of vulnerabilities | that | >it could reasonably be expected to check for is infinite. Scanners can | never be | >complete, because the space of possible mis-configurations and buggy software | >knows no bounds. | | True, but the same can be said for firewalls, in that there are always new | attack mechanisms being developed to defeat firewalls; so in a sense they | are never complete either. Certification of firewalls is usually | assurance-based; that is, verified to levels of asuusrance - such as the | Common-Criteria evaluations. This means that basically the certification | procedure checks and confirms what the manufacturers claim it can can do - | a security target. Maybe it would be possible to set a similar security | target for intrusion detection software and scanner software too? The platonic-ideal firewall resists new attacks. I don't believe that the ideal scanner finds new things. Thus, a firewall that does not block a new attack in the class of things it is designed to watch is broken. This is the result of a deny everything stance. In practice, firewalls will fall short of their goal. The question to ask is how far and how often?
IMHO the platonic-ideal scanner detects all the bugs its designed to detect without false positives disregarding a finite set of factors ( net. topology, firewalls in between, NAT, operating systems, configuration variations, os versions and interactions between those factors). In that sense i believe its harder to certify a scanner than a firewall *unless* a scope and framework for the certification procedure is predefined. OTOH a firewall must enforce a policy no matter what.. Ivan Arce SecLabs @ NAI
Current thread:
- Re: Penetration testing via shrinkware, (continued)
- Re: Penetration testing via shrinkware Ryan Russell (Sep 03)
- RE: Penetration testing via shrinkware Gary Crumrine (Sep 03)
- RE: Penetration testing via shrinkware Christopher Nicholls (Sep 07)
- Re: Penetration testing via shrinkware tqbf (Sep 17)
- Re: Penetration testing via shrinkware Crispin Cowan (Sep 18)
- Re: Penetration testing via shrinkware Ted Doty (Sep 19)
- Re: Penetration testing via shrinkware tqbf (Sep 19)
- Re: Penetration testing via shrinkware Dave Whitlow (Sep 19)
- Re: Penetration testing via shrinkware Christopher Nicholls (Sep 19)
- Re: Penetration testing via shrinkware Adam Shostack (Sep 20)
- Re: Penetration testing via shrinkware Ivan Arce,CORE SDI (Sep 23)
- Re: Penetration testing via shrinkware tqbf (Sep 21)
- RE: Penetration testing via shrinkware Christopher Nicholls (Sep 07)
- Re: Penetration testing via shrinkware Crispin Cowan (Sep 19)