Re: Penetration Tests

[Bennett Todd <bet () rahul net>]

On Thu, Sep 25, 1997 at 09:00:46PM +0100, Edward Cracknell wrote:
> I'd really like some input regarding penetration tests. Internal and
> External.

Internal is really fruitful, at least potentially. You should play with Satan.
It's a good exercise to run COPS over at least a representative handful of
machines. Get 'em properly configured and both of these will likely produce
more output than you want, but you'll probably uncover configuration errors on
some subset of your systems that open up large problems.

An automated tool isn't going to do much good for an external
penetration attempt unless you have a truly ghastly configuration
error in your firewall. MJR has a superb paper explaining why at
<URL:http://www.clark.net/pub/mjr/pubs/fwtest/index.htm>. To really analyze a
firewall you need to combine automated tools like port scanners with inside
analysis. Identify every port that has a service listening, then research to
see if any bugs have been reported in the daemon that's servicing that port,
then closely check the configuration for problems. "netstat -a" is a good
friend here; it should produce so little output that you can explain every
last line.

Note that for any testing --- any useful security work at all, for that matter
--- you've gotta have a security policy in force; it has to do a good job of
reflecting the organization's needs, it has to have management support, and it
has to specify enough detail so it defines a spec that the security
infrastructure must meet. And you know, once you get done with _that_ chore
merely certifying the correctness of a firewall seems like a piece of cake.

-Bennett