OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archive: Re: Penetration testing via shrinkware

Re: Penetration testing via shrinkware

John McDermott (jjmjkintl.com)
Fri, 18 Sep 98 13:17:51

--- On Fri, 18 Sep 1998 09:26:03 -0700 Crispin Cowan <crispincse.ogi.edu>
wrote:

".
>
>I agree with your assesment of what it means to really verify a firewall,
and
>I certainly agree that it is difficult. However, it is also clearly
possible,
>if one wishes to expend enough effort and money.
>
>A scanner, on the other hand, is simply not possible to verify. No matter
>what vulnerabilities the scanner checks for, there will always be the
>potential for a new mis-configuration, bug, or other vulnerability in some
>product that the scanner should check for, but does not. The set of
things
>that a scanner should check for is infinite, so the scanner can never be
>complete.

By the same token, how can firewall testing be accomplished? Let us assume
bug B. If there is no scanner for bug B because it is unknown until time
T, then how can a firewall be certified at time <T that it protects itself
and an internal network from bug B? That is, testing goes hand-in-hand
with firewall certification, as I see it.

If a firewall is certified to be correct wrt all known bugs on 1Sep98, how
can it be guaranteed to be correct wrt some bug developed 10 September? It
seems to me that certification of firewalls and scanners needs to be
explicitly "as of date xx/xx/xxxx" and that all bets are off after that.

--john

>
>Crispin
>-----

-------------------------------------
Name: John McDermott
VOICE: 505/377-6293 FAX 505/377-6313
E-mail: John McDermott <jjmjkintl.com>
Writer and Computer Consultant
-------------------------------------

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:11:47 CDT