|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Penetration testing via shrinkware
Christopher Nicholls (chrisn
softway.com.au)
Sun, 20 Sep 1998 06:47:08 +1000
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: John McDermott: "Re: Penetration testing via shrinkware"
- Previous message: C Matthew Curtin: "Re: NetMeeting security solution?"
- In reply to: Chris Shenton: "Re: NetMeeting security solution?"
- Next in thread: Adam Shostack: "Re: Penetration testing via shrinkware"
- Reply: Adam Shostack: "Re: Penetration testing via shrinkware"
- Reply: tqbf: "Re: Penetration testing via shrinkware"
At 12:44 AM 18/09/98 -0700, Crispin Cowan wrote:
>tqbfpobox.com wrote:
>
>> > person/company for the job... Problem is, which tools and which people do
>> > you trust? Sounds like the subject of certification and accreditation
comes
>> > back into play...
>>
>> Scanners are probably much easier to certify than firewalls (which
>> probably can't be meaningfully certified at all).
>
>I beg to differ. A firewall can at least theoretically be verified: if
it is
>formally proven to enforce a policy of (say) allowing through traffic on
ports X
>and Y, and no others, then the firewall is verified. A scanner, on the other
>hand, can never be verified, because the potential list of vulnerabilities
that
>it could reasonably be expected to check for is infinite. Scanners can
never be
>complete, because the space of possible mis-configurations and buggy software
>knows no bounds.
True, but the same can be said for firewalls, in that there are always new
attack mechanisms being developed to defeat firewalls; so in a sense they
are never complete either. Certification of firewalls is usually
assurance-based; that is, verified to levels of asuusrance - such as the
Common-Criteria evaluations. This means that basically the certification
procedure checks and confirms what the manufacturers claim it can can do -
a security target. Maybe it would be possible to set a similar security
target for intrusion detection software and scanner software too?
Regards
Christopher
----------------------------------------------------------------------
Christopher A. Nicholls
----------------------------------------------------------------------
Softway Pty Ltd ACN: 002 726 641
Canberra Branch Office: Suite 1.3, Dickson Park Professional Centre
151 Cowper Street, Dickson ACT 2602
PO Box 923, Dickson ACT 2602
Ph: +61 2 6257 0666
Fax: +61 2 6257 0665 E-mail: chrisnsoftway.com.au
Mob: 0411 454 755 WWW: http://www.softway.com.au
---------------------------------------------------------------------------
- Next message: John McDermott: "Re: Penetration testing via shrinkware"
- Previous message: C Matthew Curtin: "Re: NetMeeting security solution?"
- In reply to: Chris Shenton: "Re: NetMeeting security solution?"
- Next in thread: Adam Shostack: "Re: Penetration testing via shrinkware"
- Reply: Adam Shostack: "Re: Penetration testing via shrinkware"
- Reply: tqbf: "Re: Penetration testing via shrinkware"
This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:11:47 CDT