On Mon, 22 Dec 2003, Yoni - Shocksite wrote:
> > If it is between the server and the targets, you must open all IP
> > traffic between those machines (not great for a firewall) and disable
> > any kind of anti-flood, anti-spoof counter-measures (e.g. FW-1 smart
> > defenses). Otherwise, your scan will be slow and unaccurate.
> > Honestly, in the later case, you'd better move the server or the
> > firewall.
>
> Ok i guess that means "wide open server" policy !
> So to get clean and accurate result i drop of the firewall.
>
> But what will protect my customer data and the server ?
> Is there a strategy acceptable to balance Nessus accuracy and Data protection ?
1. Minimal server: Do not install anything on your nessus server which is
not required for nessus. (Dedicated machine and hardened OS!)
2. Relevance: Test in a way relevant to the real life application. If a
firewall is design to be in front of your webfarm and you want to know the
thruth you have to test from a similar location your average "hostile"
will be at. Test the firewall along with the webfarm.
3. Seperation: Do not install nessus in your own user environment unless
that is what you want to test. Use dedicated networks and preferably even
dedicated internet link(s) for tests.
No one said testing is cheap if you want to do it right.
Hugo.
--
All email sent to me is bound to the rules described on my homepage.
[EMAIL PROTECTED] http://hvdkooij.xs4all.nl/
Don't meddle in the affairs of sysadmins,
for they are subtle and quick to anger.
_______________________________________________
Nessus mailing list
[EMAIL PROTECTED]
http://mail.nessus.org/mailman/listinfo/nessus
