On Fri, 18 Jan 2002, Marcus J. Ranum wrote:
> Ron DuFresne <[EMAIL PROTECTED]> wrote:
> >One of the reasons we prefer to do a thourough aduit rather then
> >"piercing" or pen testing. A thourough audit of policies, assest,
> >CONFIGURATION, known vulnerabilites, it often yeilds better info in a
> >resource diminished environment then either of the other two.
>
> Aha. Now we're talking about testing a firewall for _security_ - which
> is a much more interesting topic! :)
>
> I used to do firewall audits, too, and taught firewall auditing for a bunch
> of years. One of the things I used to tell my students to focus on was
> the software _behind_ the firewall. In every case where I did an audit
> and found a problem, it had nothing to do with the firewall, it was a
> case where the firewall was allowing traffic _in_ to something behind
> it that was vulnerable. Firewalls, after all, are pretty simplistic valves
> on traffic and the vast majority of them do zero traffic analysis or
> content analysis.
>
> It's kind of funny. You look at the firewall policy and pull out the addresses
> of every machine that is an inbound-traffic recipient. Then you find the
> software and release level of the server package that is collecting that
> traffic. Then you do a security vulnerability search for that software. And
> 90% of the time you find a vulnerability. It's got nothing to do with the
> firewall at all. What the firewall does is inverts the network security
> problem into an application/port security problem. It's easier to manage
> but a lot of organizations don't realize that they have security work to
> do _after_ the firewall goes in. :(
>
Agreed, the auditing does not end at the screeing router and firewall, it
encompasses the whole network setup, and should look down to the desktop
level, at the persons behind the keyboards, at lesat the processes
different departments use to go about their daily chores. Still, it
certainly does not avoid the screening router and firewall, which are part
of the companies security policy for sure, but, only a part.
It's sometimes surprising for a copany, to findout that after affeting a
policy, putting in the perimiter devices to help enforce it, how many
people winin the organisation are circumventing that poicy and the devices
put up to manage it. It can raise eyebrows for sure, and many times those
guilty of the circumvention are not doing so with evil intent. They are
merely not paying attention to what policy states. And this can be a real
issue when working with business parnters. I've seen a number of fw-1
setups whence the box was merely an open router dudue to relational
'requirements'.
Thanks,
Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
