Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Penetration testing via shrinkware

From: John McDermott <jjm () jkintl com>
Date: Fri, 18 Sep 98 13:17:51 

--- On Fri, 18 Sep 1998 09:26:03 -0700  Crispin Cowan <crispin () cse ogi edu> 
wrote:

".


I agree with your assesment of what it means to really verify a firewall, 

and

I certainly agree that it is difficult.  However, it is also clearly 

possible,

if one wishes to expend enough effort and money.

A scanner, on the other hand, is simply not possible to verify.  No matter
what vulnerabilities the scanner checks for, there will always be the
potential for a new mis-configuration, bug, or other vulnerability in some
product that the scanner should check for, but does not.  The set of 

things

that a scanner should check for is infinite, so the scanner can never be
complete.


By the same token, how can firewall testing be accomplished?  Let us assume 
bug B.  If there is no scanner for bug B because it is unknown until time 
T, then how can a firewall be certified at time <T that it protects itself 
and an internal network from bug B?  That is, testing goes hand-in-hand 
with firewall certification, as I see it.

If a firewall is certified to be correct wrt all known bugs on 1Sep98, how 
can it be guaranteed to be correct wrt some bug developed 10 September?  It 
seems to me that certification of firewalls and scanners needs to be 
explicitly "as of date xx/xx/xxxx" and that all bets are off after that.

--john



Crispin
-----



-------------------------------------
Name: John McDermott
VOICE: 505/377-6293 FAX 505/377-6313
E-mail: John McDermott <jjm () jkintl com>
Writer and Computer Consultant
-------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: