|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Penetration testing via shrinkware
Paul D. Robertson (proberts
clark.net)
Sat, 19 Sep 1998 23:26:59 -0400 (EDT)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Deepak Vaidya: "Re: [FW1] How many rules can exists in fw1 ?"
- Previous message: Rodney van den Oever: "Re: placement of AG vs SPF"
- Maybe in reply to: Woody Weaver: "placement of AG vs SPF"
- Next in thread: Ryan Russell: "Re: Penetration testing via shrinkware"
On Fri, 18 Sep 1998, John McDermott wrote:
> I beg to differ with your differing :-). The issue in firewall
> verification is not pass/block verification. IMHO that is stateless filter
> verification (e.g. as for a router).
>
> Meaningful firewall verification (again IMHO) requires that each
> proxy/stateful inspector be proven to allow only correct operation of the
> protocol for which it is proxying. If a firewall is proxying, say, HTTP,
> the verification must show that there are no buffer overflows, for example,
> in the proxy and that the proxy is not performing any illegal operation
> which could impact the integrity of the firewall or the allegedly protected
> computers. This is probably "difficult".
HTTP is an open-ended protocol specification with some _limitless_ size
specifications, I submit that it is beyond "difficult" to verify correct
functionality of a layer 5 transport protocol. Testing just buffer
overflows on limitless length objects would seem to be less than an ideal
situation. Proxies are much easier to verify than stateful filters under
the same circumstances, but once again, the source code is probably going
to give you a much higher level of assurance that oversized objects are
correctly handled unless you don't go look at the souce to the library
routines as well, in which case you can either do that, or accept a lower
level of assurance by banging against the calls with a substantial set of
test data.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
probertsclark.net which may have no basis whatsoever in fact."
PSB#9280
- Next message: Deepak Vaidya: "Re: [FW1] How many rules can exists in fw1 ?"
- Previous message: Rodney van den Oever: "Re: placement of AG vs SPF"
- Maybe in reply to: Woody Weaver: "placement of AG vs SPF"
- Next in thread: Ryan Russell: "Re: Penetration testing via shrinkware"
This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:11:47 CDT