Firewall Wizards mailing list archives
Re: I wonder, how to test..
From: "Paul D. Robertson" <paul () compuwar net>
Date: Fri, 30 Jul 2004 12:30:45 -0400 (EDT)
On Thu, 29 Jul 2004, Meindert Uitman wrote:
Hi list, As a regular reader of this list, and (amongst many other tasks) responsible for security at our company, I wonder. I've taken most measures to make our buisiness secure. It's all on a small scale, everything runs well, but every now and then the tiny hairs on the back of my head make me wonder how secure it all is. Yes, webservers are locked down, are in DMZ, only http permitted, SQL on inside via data layers, only nessesary ports between DMZ and inside; this production environment is colocated, office is connected via PIX to PIX vpn, restricted access to this vpn, etc.
Sounds pretty reasonable so far...
Are there any low cost means / tools out there to verify that what i have done so far is reasonable proof?
"Proof" is a bad word, as it tends to draw absolute lines, and unfortunately, security is really about probability. You can do a lot, but you could get one thing wrong, and it could sink you- the real question is have you done all that's reasonably prudent? Have you mitigated the biggest risks you face in the most cost-effective manner. For that, it takes a good understanding of threat rates, vulnerability prevalence, and costs. A "tool" can tell you how well you've implemented your controls, and perhaps indicate where controls haven't been implemented- so it can take the vulnerability portion of the equation, but it really can't do the other two. Testing with vulnerability scanners, port mappers, etc. will, as others have pointed out, give you an idea of the common exposures, which generally equate to the highest potential risks, but they certainly can't tell you the entire picture. That takes knowledge and information, and will change over time. Test what you can, monitor what you can, and validate/verify by looking at common patterns and see how you've faired historically. That won't give you a huge relief gap you're looking for, but what you're looking for really isn't cheap to do right. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- I wonder, how to test.. Meindert Uitman (Jul 29)
- Re: I wonder, how to test.. Adrian Grigorof (Jul 30)
- Re: I wonder, how to test.. Kevin Sheldrake (Jul 30)
- Re: I wonder, how to test.. Martin Mačok (Jul 30)
- Re: I wonder, how to test.. Kevin Sheldrake (Jul 30)
- Re: I wonder, how to test.. Paul D. Robertson (Jul 30)
- Re: I wonder, how to test.. Kevin Sheldrake (Jul 30)
- Re: I wonder, how to test.. Adrian Grigorof (Jul 30)