Re: Penetration testing via shrinkware

Crispin Cowan (crispincse.ogi.edu)
Fri, 18 Sep 1998 09:26:03 -0700

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: C Matthew Curtin: "Re: CFP: The Insider December 1998 edition"
• Previous message: Woody Weaver: "placement of AG vs SPF"
• Next in thread: Paul D. Robertson: "Re: Penetration testing via shrinkware"

John McDermott wrote:

> Meaningful firewall verification (again IMHO) requires that each
> proxy/stateful inspector be proven to allow only correct operation of the
> protocol for which it is proxying. If a firewall is proxying, say, HTTP,
> the verification must show that there are no buffer overflows, for example,
> in the proxy and that the proxy is not performing any illegal operation
> which could impact the integrity of the firewall or the allegedly protected
> computers. This is probably "difficult".

I agree with your assesment of what it means to really verify a firewall, and
I certainly agree that it is difficult. However, it is also clearly possible,
if one wishes to expend enough effort and money.

A scanner, on the other hand, is simply not possible to verify. No matter
what vulnerabilities the scanner checks for, there will always be the
potential for a new mis-configuration, bug, or other vulnerability in some
product that the scanner should check for, but does not. The set of things
that a scanner should check for is infinite, so the scanner can never be
complete.

Crispin
-----
 Crispin Cowan, Research Assistant Professor of Computer Science, OGI
    NEW: Protect Your Linux Host with StackGuard'd Programs :FREE
       http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/

                 Support Justice: Boycott Windows 98

• Next message: C Matthew Curtin: "Re: CFP: The Insider December 1998 edition"
• Previous message: Woody Weaver: "placement of AG vs SPF"
• Next in thread: Paul D. Robertson: "Re: Penetration testing via shrinkware"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:11:47 CDT