Re: PCI DSS & Firewalls

["Marcus J. Ranum" <mjr () ranum com>]

AMuse wrote:
> Isn't the point of pen-testing to take up an attackers' perspective and 
> hit all your defenses to see if you missed something or misconfigured 
> something?  I mean, unless you're the only person who set up 100% of 
> your infrastructure, how are you to know that someone didn't 
> accidentally leave telnet open?


By that logic, I'd want to have another expert system administrator,
not a pen tester, go through my configuration docs and my design
and validate my implementation against my design and docs.

Why would I want someone taking an outsider's perspective - I'd
be much more likely to find something really useful if I had
another expert red-team my configuration and design. Once that's
done, I could validate my implementation against my design as
often as I liked and - if I were really paranoid - I could put
technology in place to make sure I was notified if my
implementation had changed.

This is not simply theoretical, by the way, it's real and I've
put it in practice. The last website I set up, I enumerated
all the connectivity I could expect to reasonably see on
the backend network, so my syslog server was set up to
double as an intrusion detection system by simply running
tcpdump through a program that threw away all the traffic
that was within the enumerated connectivity list, and
alerted on anything else.

Good design just works. You cannot pen test a bad design
into a good design any more than you can patch a badly
coded piece of shovelware into a robust, secure operating
system. (*ahem*) Or turn a sow's ear into a silk purse.


> If you didn't write 100% of the webapps 
> your company is using, how are you to know they don't have SQL injection 
> flaws?


There's this thing called a "design review" and a "code review"
and if you're putting webapps on the Internet and you don't
know what those things are, you're toast no matter how much
pen testing you do.

So, the design for your webapps should have touch-points
which enumerate all the places where end-user data is pushed
into the system, how it's transformed, and where it's used
in constructions. Those touch-points should all vector
through common input cleaning libraries. Again, this should
be in the design docs and comments and code. Before you field
it, you might want to hire some expert coder to review and
make sure the implementation matches the design - and/or use
a workflow system like Fortify's source code* security suite,
to map out the data-flows, look for buffer overruns, etc. Or
hire a company like Gary McGraw's Cigital, which specializes
in software security and have them do a red team design
review. That's how the grown-ups do it.

mjr.
--
Marcus J. Ranum         CSO, Tenable Network Security, Inc.
                        http://www.tenablesecurity.com

(* disclaimer; I am on a technology advisory board for Fortify,
so you can consider me biassed.)
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards