Re: Pentesting Old unsupported Firewall Appliances

["Jamie Riden" <jamie.riden () gmail com>]

On 11/06/07, Harold Castro <b0ydaem0n () yahoo com> wrote:
> Hi,
..
> Since I'm doing an external black box pentest, I have
> to rely on some tools for OS fingerprinting. Nmap
> guesses it to be either Nokia IPSO 4.0 or 4.1Build19.
> Now I tried googling for that particular appliance
> (IP650) and I found out that the appliance is too old
> as its existence dates back as early as 1999. I'm
> having a hard time trying to find anything
> that can be useful for this

Usually the next stage would be to try to exploit it - providing that
is allowed for by your penetration-testing contract. (It should be,
otherwise it's more of an audit rather than a pen-test.)

> If all else fails, do you tell the customer that it is
> safe to ignore those warnings and vulnerabilities
> because you, on a hacker's perspective, was not able
> to penetrate the network by making use of those
> vulnerabilities found, that the hacker might have a
> hard time as well and eventually opt for another
> target?

I don't like to. If you aren't able to break it, just say so. As a
pen-tester, you haven't got enough information to say if it's safe.
Obviously, if you break it, it's not safe, otherwise you don't know.

cheers,
Jamie
--
Jamie Riden, CISSP / jamesr () europe com / jamie () honeynet org uk
UK Honeynet Project: http://www.ukhoneynet.org/

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------