Firewall Wizards mailing list archives
Re: concerning ~el8 / project mayhem
From: Paul Robertson <proberts () patriot net>
Date: Wed, 21 Aug 2002 11:04:55 -0400 (EDT)
On Wed, 21 Aug 2002, Anton A. Chuvakin wrote: Hi Anton,
customers don't understand that you don't *need* the attack tools to mount an effective defense, nor to tell what's wrong with the current one. I think even vulnerability scanners are mostly a waste of time.
Hmm, that really doesn't sit well with me. As I understand, you are advocating good security design over testing? But what about human errors in the above "good design"? Admittedly, no one can eliminate all of them, thus scanners/exploit tools will server as a final semi-real-world test of how "good" the above design really is.
While I am indeed advocating good design, I'm not against validation, I'm against vulnerability scanning- that, I think is our point of difference (or maybe I just didn't articulate it well.) In other words, I'm saying that configuration validation is better than vulnerability testing for almost all classes of electronic attack. Here are some examples: The network security person decides that she'll allow any connection through the outside screening router and firewall originating in her cable modem provider's netblock. A scanner won't pick that up unless it's running from that netblock or running long enough to spoof any potential addresses (assuming the correlation between discarded packets and rulestes can be made.) The Web server admin adds a new IIS mapping for .xyz files that does the same thing as .ida "just in case" the company ever screws him. Haven't seen a vulnerability scanner yet that would handle that well. The vulnerability is damaging enough that a non-destructive test isn't possible. Therefore the scanner never gets run for that because it might bring down a production machine. Rather than go on, I'll let those serve as examples. Good security design isn't best validated by vulnerability testing, it's best validated by implementation verification. What's more, it's possible to validate things either manually or in an automated fashion, and it's possible to architect for easy validation. It takes me about 10 minutes to manually configure a Linux server so that I'm fairly confident that it's as "hardened" as is necessary. It takes me about 2 minutes to see if a box has been configured that way (now, please understand I'm talking manually in both of those cases- obviously automating it makes it much easier.) It takes me 15 minutes to run a vulnerability scanner against that box. Thanks, Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- concerning ~el8 / project mayhem R. DuFresne (Aug 16)
- Re: concerning ~el8 / project mayhem Darren Reed (Aug 16)
- Re: concerning ~el8 / project mayhem ark (Aug 16)
- Re: concerning ~el8 / project mayhem Marcus J. Ranum (Aug 17)
- Re: concerning ~el8 / project mayhem ark (Aug 16)
- <Possible follow-ups>
- Re: concerning ~el8 / project mayhem Marcus J. Ranum (Aug 17)
- Re: concerning ~el8 / project mayhem Paul D. Robertson (Aug 17)
- Re: concerning ~el8 / project mayhem Anton A. Chuvakin (Aug 21)
- Re: concerning ~el8 / project mayhem Paul Robertson (Aug 21)
- Re: concerning ~el8 / project mayhem Barney Wolff (Aug 21)
- Re: concerning ~el8 / project mayhem Anton J Aylward, CISSP (Aug 21)
- Re: concerning ~el8 / project mayhem Anton Chuvakin (Aug 21)
- RE:Vulnerability Scanners ( was: concerning ~el8 / project mayhem ) Josh Welch (Aug 21)
- Re: concerning ~el8 / project mayhem Dave Piscitello (Aug 21)
- Re: concerning ~el8 / project mayhem Anton J Aylward, CISSP (Aug 21)
- Re: concerning ~el8 / project mayhem Paul D. Robertson (Aug 17)
- Re: concerning ~el8 / project mayhem Darren Reed (Aug 16)
- Message not available
- Re: concerning ~el8 / project mayhem Dave Piscitello (Aug 22)
- Message not available
- Re: concerning ~el8 / project mayhem Dave Piscitello (Aug 22)
- Re: concerning ~el8 / project mayhem Adam Shostack (Aug 23)
- Re: concerning ~el8 / project mayhem Marcus J. Ranum (Aug 17)