OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archive: Re: Penetration testing via shrinkware

Re: Penetration testing via shrinkware

Adam Shostack (adamhomeport.org)
Sun, 20 Sep 1998 03:11:02 -0400

I find the fuzz work to be of great use in findng unknown bugs in
firewalls. Requires a couple of machines, and a few weeks of idle
time for them. Fuzz & Fuzz Revisted are the papers. U Wisconsin.

Adam

On Fri, Sep 18, 1998 at 01:17:51PM +0000, John McDermott wrote:

| By the same token, how can firewall testing be accomplished? Let us assume
| bug B. If there is no scanner for bug B because it is unknown until time
| T, then how can a firewall be certified at time <T that it protects itself
| and an internal network from bug B? That is, testing goes hand-in-hand
| with firewall certification, as I see it.
|
| If a firewall is certified to be correct wrt all known bugs on 1Sep98, how
| can it be guaranteed to be correct wrt some bug developed 10 September? It
| seems to me that certification of firewalls and scanners needs to be
| explicitly "as of date xx/xx/xxxx" and that all bets are off after that.
|
| --john
|
| >
| >Crispin
| >-----
|
|
| -------------------------------------
| Name: John McDermott
| VOICE: 505/377-6293 FAX 505/377-6313
| E-mail: John McDermott <jjmjkintl.com>
| Writer and Computer Consultant
| ------------------------------------- 

-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:11:47 CDT