Re: concerning ~el8 / project mayhem

[Paul Robertson <proberts () patriot net>]

On Wed, 21 Aug 2002, Anton A. Chuvakin wrote:

Hi Anton,

> > customers don't understand that you don't *need* the attack tools to mount
> > an effective defense, nor to tell what's wrong with the current one.  I
> > think even vulnerability scanners are mostly a waste of time.

> Hmm, that really doesn't sit well with me. As I understand, you are
> advocating good security design over testing? But what about human errors
> in the above "good design"? Admittedly, no one can eliminate all of them,
> thus scanners/exploit tools will server as a final semi-real-world test of
> how "good" the above design really is.

While I am indeed advocating good design, I'm not against validation, I'm 
against vulnerability scanning- that, I think is our point of difference 
(or maybe I just didn't articulate it well.)  In other words, I'm saying 
that configuration validation is better than vulnerability testing for 
almost all classes of electronic attack.

Here are some examples:

The network security person decides that she'll allow any connection 
through the outside screening router and firewall originating in her cable 
modem provider's netblock.  A scanner won't pick that up unless it's 
running from that netblock or running long enough to spoof any potential 
addresses (assuming the correlation between discarded packets and rulestes 
can be made.)

The Web server admin adds a new IIS mapping for .xyz files that does the 
same thing as .ida "just in case" the company ever screws him.  Haven't 
seen a vulnerability scanner yet that would handle that well.

The vulnerability is damaging enough that a non-destructive test isn't 
possible.  Therefore the scanner never gets run for that because it might 
bring down a production machine.

Rather than go on, I'll let those serve as examples.  Good security design 
isn't best validated by vulnerability testing, it's best validated by 
implementation verification.  What's more, it's possible to validate 
things either manually or in an automated fashion, and it's possible to 
architect for easy validation.  

It takes me about 10 minutes to manually configure a Linux server so that 
I'm fairly confident that it's as "hardened" as is necessary.  It takes me 
about 2 minutes to see if a box has been configured that way (now, please 
understand I'm talking manually in both of those cases- obviously 
automating it makes it much easier.)  It takes me 15 minutes to run a 
vulnerability scanner against that box.

Thanks,

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards