Firewall Wizards mailing list archives

RE: Vulnerability Scanners ( was: concerning ~el8 / project mayhem )

From: "Kalat, Andrew (ISS Atlanta)" <akalat () iss net>
Date: Thu, 22 Aug 2002 10:16:21 -0400

One could also argue that according to the practice of only 
allowing what is needed and blocking all else, some sort of 
access control should be in place that prevents FTP traffic 
from ever getting to that server. FTP traffic beyond that of 
authorized servers should be denied at the perimeter. An 
audit of your security practices would tell you whether you 
have denied all FTP. A scanner can only tell you that host 
w.x.y.z is running an FTP server and you can access it.


Sounds great in theroy, but I think many companies probably face a staff
that at best doesn't understand, or at worst, opening is hostile, to
written security and IT policies and practicies. If you have a 30 office
company, it's sometimes impossible to limit what might happen in your
Corn Field, Iowa office. If a consultant out there decides to throw a
hub inbetween the router and the firewall, and figures out some free
address... Of course, you can limit this with mac address filtering and
such, but sometimes we all have resource issues and things are missed or
put off. 

Scanning has it's place. I think it's vital to do mulitple things to
assure your policies are being followed, from audits to scanning (which
is really part of a good audit in my mind). 

The bottom lines is that in any company that has just a hint of IT
knowledgable (read: dangerous) staff, you'll have things on your network
you didn't authorize and don't want. And this is before even considering
internal issues. Get hit with a  code-red, and suddenly you are very
concerned about who is running unpatched IIS on your internal networks.
A scanner is *very helpful* for triaging that. 




---------------------------------------------------------
Andrew J. Kalat,                | Direct:(404)236-2713 
                                  | Main:  (404)236-2600
Internet Security Systems, Inc. | E-Mail: akalat () iss net
6303 Barfield Road                | <http://www.iss.net/>
Atlanta, GA 30328                         | PGP key available.




_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: RE:Vulnerability Scanners ( was: concerning ~el8 / project mayhem ), (continued)
- - - Re: RE:Vulnerability Scanners ( was: concerning ~el8 / project mayhem ) B. Scott Harroff (Aug 23)
    - Re: RE:Vulnerability Scanners ( was: concerning ~el8 / project mayhem ) Dave Piscitello (Aug 25)
    - Re: RE:Vulnerability Scanners ( was: concerning ~el8 / project mayhem ) B. Scott Harroff (Aug 26)
    - Re: RE:Vulnerability Scanners ( was: concerning ~el8 / project mayhem ) Paul D. Robertson (Aug 26)
    - Re: RE:Vulnerability Scanners ( was: concerning ~el8 / project mayhem ) B. Scott Harroff (Aug 26)
    - Re: RE:Vulnerability Scanners ( was: concerning ~el8 / project mayhem ) Paul Robertson (Aug 26)
    - Re: RE:Vulnerability Scanners ( was: concerning ~el8 / project mayhem ) R. DuFresne (Aug 26)
    - Message not available
    - Re: RE:Vulnerability Scanners ( was: concerning ~el8 / project mayhem ) Dave Piscitello (Aug 26)
    - Re: RE:Vulnerability Scanners ( was: concerning ~el8 / project mayhem ) Paul D. Robertson (Aug 26)
    - Re: RE:Vulnerability Scanners ( was: concerning ~el8 / project mayhem ) R. DuFresne (Aug 25)
- RE: Vulnerability Scanners ( was: concerning ~el8 / project mayhem ) Kalat, Andrew (ISS Atlanta) (Aug 22)
  - Re: Vulnerability Scanners ( was: concerning ~el8 / project mayhem ) B. Scott Harroff (Aug 22)
- RE: Vulnerability Scanners ( was: concerning ~el8 / project mayhem ) Kalat, Andrew (ISS Atlanta) (Aug 22)