OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archive: Re: Antwort: Re: Facts, not Fiction

Re: Antwort: Re: Facts, not Fiction

Paul D. Robertson (probertsclark.net)
Mon, 10 Nov 1997 20:07:08 -0500 (EST)

On Mon, 10 Nov 1997 Hartmut.FehlingHamburg-Mannheimer.de wrote:

> Example: I have an NT-Host behind the FW which is vulnerable to POD or
> NetBIOS-Attacks. However, the FW-Host is supposed to filter out this kind
> of traffic. How far can I trust the _current_ products to do just that?

In an application layer gateway which doesn't forward, you should be able
to build a high level of trust if you don't have proxies for the
applications *and* the firewall itself isn't vulnerable. In a packet
filtering firewall, as much as you trust the particular implementation.

But of course, proxies get to be the same difficulty when it comes to
things at the application's transport layer.

Trust modeling is complex, and the barriers to entry into a trusted space
are quite high, and the path long. That's why you'll see a lot of us
arguing against jumping to the 'latest and greatest' of anything, be it
OS, product, or service.

Your audit points, ability to have good audits, and following the issues
should give you assurance based on your extension of trust.

Lastly, trust shouldn't be absolute.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
probertsclark.net which may have no basis whatsoever in fact."
                                                                     PSB#9280

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:09:48 CDT