Firewall Wizards mailing list archives
Re: Penetration testing via shrinkware
From: John McDermott <jjm () jkintl com>
Date: Fri, 18 Sep 98 13:17:51
--- On Fri, 18 Sep 1998 09:26:03 -0700 Crispin Cowan <crispin () cse ogi edu> wrote: ".
I agree with your assesment of what it means to really verify a firewall,
and
I certainly agree that it is difficult. However, it is also clearly
possible,
if one wishes to expend enough effort and money. A scanner, on the other hand, is simply not possible to verify. No matter what vulnerabilities the scanner checks for, there will always be the potential for a new mis-configuration, bug, or other vulnerability in some product that the scanner should check for, but does not. The set of
things
that a scanner should check for is infinite, so the scanner can never be complete.
By the same token, how can firewall testing be accomplished? Let us assume bug B. If there is no scanner for bug B because it is unknown until time T, then how can a firewall be certified at time <T that it protects itself and an internal network from bug B? That is, testing goes hand-in-hand with firewall certification, as I see it. If a firewall is certified to be correct wrt all known bugs on 1Sep98, how can it be guaranteed to be correct wrt some bug developed 10 September? It seems to me that certification of firewalls and scanners needs to be explicitly "as of date xx/xx/xxxx" and that all bets are off after that. --john
Crispin -----
------------------------------------- Name: John McDermott VOICE: 505/377-6293 FAX 505/377-6313 E-mail: John McDermott <jjm () jkintl com> Writer and Computer Consultant -------------------------------------
Current thread:
- RE: Penetration testing via shrinkware, (continued)
- RE: Penetration testing via shrinkware McEwen, Don (Sep 03)
- Re: Penetration testing via shrinkware Vanja Hrustic (Sep 03)
- Re: Penetration testing via shrinkware Bill_Royds (Sep 03)
- RE: Penetration testing via shrinkware Stout, Bill (Sep 06)
- RE: Penetration testing via shrinkware Gary Crumrine (Sep 06)
- Re: penetration testing via shrinkware Arve Kjoelen (Sep 08)
- Re: Penetration testing via shrinkware Ryan Russell (Sep 19)
- Re: Penetration testing via shrinkware John McDermott (Sep 19)
- Re: Penetration testing via shrinkware Crispin Cowan (Sep 19)
- Re: Penetration testing via shrinkware Paul D. Robertson (Sep 20)
- Re: Penetration testing via shrinkware John McDermott (Sep 19)
- Re: Penetration testing via shrinkware Paul D. Robertson (Sep 20)
- Re: Penetration testing via shrinkware Marcus J. Ranum (Sep 21)
- Re: Penetration testing via shrinkware Paul D. Robertson (Sep 21)
- Re: Penetration testing via shrinkware Ted Doty (Sep 21)
- Re: Penetration testing via shrinkware Paul D. Robertson (Sep 21)
- Re: Penetration testing via shrinkware Darren Reed (Sep 22)
- Re: Penetration testing via shrinkware Ted Doty (Sep 22)
- Re: Penetration testing via shrinkware Paul D. Robertson (Sep 20)
- Re: Penetration testing via shrinkware Joseph S. D. Yao (Sep 22)
- Re: Penetration testing via shrinkware Stephen P. Berry (Sep 24)
- Re: Penetration testing via shrinkware tqbf (Sep 21)