Ron DuFresne <[EMAIL PROTECTED]> wrote: >One of the reasons we prefer to do a thourough aduit rather then >"piercing" or pen testing. A thourough audit of policies, assest, >CONFIGURATION, known vulnerabilites, it often yeilds better info in a >resource diminished environment then either of the other two.
Aha. Now we're talking about testing a firewall for _security_ - which is a much more interesting topic! :) I used to do firewall audits, too, and taught firewall auditing for a bunch of years. One of the things I used to tell my students to focus on was the software _behind_ the firewall. In every case where I did an audit and found a problem, it had nothing to do with the firewall, it was a case where the firewall was allowing traffic _in_ to something behind it that was vulnerable. Firewalls, after all, are pretty simplistic valves on traffic and the vast majority of them do zero traffic analysis or content analysis. It's kind of funny. You look at the firewall policy and pull out the addresses of every machine that is an inbound-traffic recipient. Then you find the software and release level of the server package that is collecting that traffic. Then you do a security vulnerability search for that software. And 90% of the time you find a vulnerability. It's got nothing to do with the firewall at all. What the firewall does is inverts the network security problem into an application/port security problem. It's easier to manage but a lot of organizations don't realize that they have security work to do _after_ the firewall goes in. :( mjr. --- Marcus J. Ranum Chief Technology Officer, NFR Security, Inc. Work: http://www.nfr.com Personal: http://www.ranum.com _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
