Re: concerning ~el8 / project mayhem

[Anton Chuvakin <anton () chuvakin org>]

Hi Paul,

> modem provider's netblock.  A scanner won't pick that up unless it's
Sure.

> The Web server admin adds a new IIS mapping for .xyz files that does the
Yeah.

> The vulnerability is damaging enough that a non-destructive test isn't
But of course.

What about? Company policy: no FTP servers on the Internet-exposed
servers. IT stuff checks the servers THEY DEPLOYED for FTP - none has it.
Somebody else deploys a box with FTP without telling IT dept. Vuln scanner
will pick it up (if FTP server is vulnerable). Audit of the KNOWN server
configurations won't. Admittedy, one can argue that a good audit should
also include periodic asset discovery, but that is besides the point.

> implementation verification.  What's more, it's possible to validate
> things either manually or in an automated fashion, and it's possible to
> architect for easy validation.
Well, isn't 'VA scanning' a kind of "ouside remote tool-based
verfication" ;-)

> It takes me about 10 minutes to manually configure a Linux server so that
> I'm fairly confident that it's as "hardened" as is necessary.  It takes me
Same here. You and me might not need a scanner to verify the box just
built. To verify the open ports with vulns on 100 servers will take
15x1000 min (based on your earlier estimate) of SCANNER time and not
2x1000 minutes of YOUR time. Now, we are not even talking of verifying
boxes smb else built.

My conclusions: scanners are good to find human errors (mostly, silly
mistakes, but that is besides the point. they might be silly, but still
popular) in configs remotely. They make sense in addition to config
verification, not instead of it.

Best,
-- 
  Anton A. Chuvakin, Ph.D., GCIA
     http://www.chuvakin.org
   http://www.info-secure.org

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards