On Mon, 13 Mar 2000, Larry wrote:
> I need to be able to go to a customers site and do a Netwk/Security
> audit and wondered if there was a piece of software that would do a pretty
> good security audit out there ?
If auditing software were good enough, there wouldn't be a reason for
people to go to sites and do audits. The problem (mostly) *isn't*
scanning boxes, it's knowing how things work and why- IOW interpreting the
results.
If you're looking for "a piece of software that would do a pretty good
security audit", I personally think you shouldn't be trying to sell
security audits. Questions like this *almost* make me change my mind
about the whole certification debate [No Dave, you don't win yet.]
Most commercial products and open source scanners are limited to "normal"
IP. They don't touch a large number of other protocols that could
have security implications, most of them don't touch routing protocol
misconfiguration which is one of the best attack vectors out there, and a
lot of the commercial products miss subtleties that aren't immediately
apparent to those who would regurgitate their reports.
IMNSHO, nmap is still the best scanner out there for IP. It doesn't do
pretty graphs and it doesn't give you "might be right" assumptions, it
gives you raw data. Older stacks have problems with some of its scans,
and undoubtedly if you try to scan any network with old gear
aggressively you'll bring something down sooner or later.
If you want the point and click report thingie, just look at what everyone
else is using for that.
> If some one has a list to check by I would appreciate it, if your willing to
> share.
Auditors should be able to verify a network's security. That means they
should know a *heck* of a lot about networking and security or have
immediate access to someone who does. They also need to know a large
ammount about current, past and future attacks and attack paterns.
Lastly, they should have enough operational experience to be able to
discuss the effects of interoperability or configuration issues.
That's not static content, and any checklist that portends to be a full
audit needs a heck of a lot of stuff behind it that passing it out doesn't
produce out of thin air. If you can't make one, I think you'll have a
heck of a time keeping one up to date. That said, a search on "Security
Checklist" will turn up a few candidates. You also may want to read:
http://www.nfr.net/firewall-wizards/mail-archive/1998/Mar/0052.html
To paraphrase Marcus:
"I'm not trying to attack you for asking a simple and straightforward
question. But, I beg you, if you find a checklist, please don't think
it's something you can apply in a simple and straightforward manner."
Now maybe I'm mischaracterizing or misunderstanding your question, or
maybe I'm not taking into account a long past history of INFOSEC
experience that you have. But *If* I was looking for an auditor and I saw
the above quesiton in a search, it'd make me think twice.
Paul
[DISCLAIMER: My current employer does some level of auditing/assurance
work that may compete directly with such a service.]
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
