It's not a matter of Nessus or any other tool being "good enough" - the point goes back to what you friend said about being too busy. I have a limited number of hours per weeks. I manage 8 firewalls, numerous IDS sensors and maintain about 50 VPNs for my company. I also am part of a team responsible for managing our routers, switches, etc. I do not have time to research, on a regular basis, everything going on in the industry.
I've been told some companies hire security people who do nothing else - but I've yet to work at such a place, and can't say what it would be like... ----- Original Message ----- From: "yannick'san" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, May 24, 2003 11:24 AM Subject: Evaluating the security level of a firewall > Hello folks, > > Well, a couple of days ago, I had a strong discussion with friends about how > to regularly evaluate the security level of a firewall. > > First of all, everybody agreed that we can't install/configure a firewall > and then sleep and consider that everything behind it is in a secure area . > In any security approach we have to think about the "life cycle" of the > firewall. thus, security managers has to plan for a recursive process for > regularly looking for its state and the vulnerabilities which could have > came out on it. > In fact, our discussion became very strong when we started to talk about the > methods we were using for. They told me that they were only evaluating the > security level by regularly launching tools (like nessus) against their > firewall. So, somewhere in a procedure it was clearly written a sentance > like this one : > > "We considere (today) that the firewall and its configuration is secure > according to the results given by nessus."... and that's all. > > It seems that I was the only one to considere that we could not only > evaluate a security level regarding to the results given by this tool but we > also had to look for vulnerabilities in CERTS or CVE. In case of a > 0-vulnerability result, the tools will let us think that the security level > is good while in fact it is completly wrong. I considered that it was a > wrong way of thinking and told them that my sentance will have been : > > "We considere (today) that the firewall and its configuration is secure > according to the results given both by a search on CVE or CERTS databases > and the actual configuration and last update. Nessus (or other tools) are > used to improve our view but are not considered as sufficient." > > I've been told that looking for CVE or CERTS vulnerabilities takes too long > time for a lonely security manager who both has to deal with a lot of > equipments and other security stuffs. They said nessus give them a good > security view and without any security organisation to help them, the task > is too hard. > > I answered that if a security manager can't take the time to check for > vulnerabilities in specific databases, he must write somewhere the reasons > and the security consequences of his choice. Reason and security > consequences of just using tools like nessus. Our discussion about this > subject has covered subjects like process, procedures, methods, risk > analysis (especialy identification of the threats), security management,..., > but finaly I was told that most of companies do like them and my approach > was not used. > > I would to know your point of view, your experiences, for exemple : do you > only use nessus (or anything else) and considere the results as valuable ?? > Any comments (flame or not) is welcome :) > > Thanks in advance. > > -Yannick > > > -------------------------------------------------------------------------- - > Thinking About Security Training? You Can't Afford Not To! > > Vigilar's industry leading curriculum includes: Security +, Check Point, > Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now! > --UP TO 30% off classes in select cities-- > http://www.securityfocus.com/Vigilar-security-basics > -------------------------------------------------------------------------- -- > > --------------------------------------------------------------------------- ----------------------------------------------------------------------------
