Re: [fw-wiz] concerning ~el8 / project mayhem
From: Paul Robertson (proberts@patriot.net)
Date: 08/21/02
- Next message: Barney Wolff: "Re: [fw-wiz] concerning ~el8 / project mayhem"
- Previous message: Schouten, Diederik (Diederik): "RE: [fw-wiz] Lucent Brick with PPTP"
- In reply to: Anton A. Chuvakin: "Re: [fw-wiz] concerning ~el8 / project mayhem"
- Next in thread: Barney Wolff: "Re: [fw-wiz] concerning ~el8 / project mayhem"
- Reply: Barney Wolff: "Re: [fw-wiz] concerning ~el8 / project mayhem"
- Reply: Anton Chuvakin: "Re: [fw-wiz] concerning ~el8 / project mayhem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Paul Robertson <proberts@patriot.net> To: "Anton A. Chuvakin" <anton@chuvakin.org> Date: Wed Aug 21 10:58:19 2002
On Wed, 21 Aug 2002, Anton A. Chuvakin wrote:
Hi Anton,
> >customers don't understand that you don't *need* the attack tools to mount
> >an effective defense, nor to tell what's wrong with the current one. I
> >think even vulnerability scanners are mostly a waste of time.
> Hmm, that really doesn't sit well with me. As I understand, you are
> advocating good security design over testing? But what about human errors
> in the above "good design"? Admittedly, no one can eliminate all of them,
> thus scanners/exploit tools will server as a final semi-real-world test of
> how "good" the above design really is.
While I am indeed advocating good design, I'm not against validation, I'm
against vulnerability scanning- that, I think is our point of difference
(or maybe I just didn't articulate it well.) In other words, I'm saying
that configuration validation is better than vulnerability testing for
almost all classes of electronic attack.
Here are some examples:
The network security person decides that she'll allow any connection
through the outside screening router and firewall originating in her cable
modem provider's netblock. A scanner won't pick that up unless it's
running from that netblock or running long enough to spoof any potential
addresses (assuming the correlation between discarded packets and rulestes
can be made.)
The Web server admin adds a new IIS mapping for .xyz files that does the
same thing as .ida "just in case" the company ever screws him. Haven't
seen a vulnerability scanner yet that would handle that well.
The vulnerability is damaging enough that a non-destructive test isn't
possible. Therefore the scanner never gets run for that because it might
bring down a production machine.
Rather than go on, I'll let those serve as examples. Good security design
isn't best validated by vulnerability testing, it's best validated by
implementation verification. What's more, it's possible to validate
things either manually or in an automated fashion, and it's possible to
architect for easy validation.
It takes me about 10 minutes to manually configure a Linux server so that
I'm fairly confident that it's as "hardened" as is necessary. It takes me
about 2 minutes to see if a box has been configured that way (now, please
understand I'm talking manually in both of those cases- obviously
automating it makes it much easier.) It takes me 15 minutes to run a
vulnerability scanner against that box.
Thanks,
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts@patriot.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
- Next message: Barney Wolff: "Re: [fw-wiz] concerning ~el8 / project mayhem"
- Previous message: Schouten, Diederik (Diederik): "RE: [fw-wiz] Lucent Brick with PPTP"
- In reply to: Anton A. Chuvakin: "Re: [fw-wiz] concerning ~el8 / project mayhem"
- Next in thread: Barney Wolff: "Re: [fw-wiz] concerning ~el8 / project mayhem"
- Reply: Barney Wolff: "Re: [fw-wiz] concerning ~el8 / project mayhem"
- Reply: Anton Chuvakin: "Re: [fw-wiz] concerning ~el8 / project mayhem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
