OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archive: Re: Penetration testing via shrinkware

Re: Penetration testing via shrinkware

John McDermott (jjmjkintl.com)
Fri, 18 Sep 98 09:51:21

I beg to differ with your differing :-). The issue in firewall
verification is not pass/block verification. IMHO that is stateless filter
verification (e.g. as for a router).

Meaningful firewall verification (again IMHO) requires that each
proxy/stateful inspector be proven to allow only correct operation of the
protocol for which it is proxying. If a firewall is proxying, say, HTTP,
the verification must show that there are no buffer overflows, for example,
in the proxy and that the proxy is not performing any illegal operation
which could impact the integrity of the firewall or the allegedly protected
computers. This is probably "difficult".

--john

--- On Fri, 18 Sep 1998 00:44:34 -0700 Crispin Cowan <crispincse.ogi.edu>
wrote:
>I beg to differ. A firewall can at least theoretically be verified: if
it is
>formally proven to enforce a policy of (say) allowing through traffic on
ports X
>and Y, and no others, then the firewall is verified. A scanner, on the
other
>hand, can never be verified, because the potential list of vulnerabilities
that
>it could reasonably be expected to check for is infinite. Scanners can
never be
>complete, because the space of possible mis-configurations and buggy
software
>knows no bounds.
>
>Crispin
> Support Justice: Boycott Windows 98

-----------------End of Original Message-----------------

-------------------------------------
Name: John McDermott
VOICE: 505/377-6293 FAX 505/377-6313
E-mail: John McDermott <jjmjkintl.com>
Writer and Computer Consultant
-------------------------------------

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:11:47 CDT