RE:[fw-wiz] Vulnerability Scanners ( was: concerning ~el8 / project mayhem )

From: R. DuFresne (dufresne@sysinfo.com)
Date: 08/22/02


From: "R. DuFresne" <dufresne@sysinfo.com>
To: Crispin Harris <crispin@internode.on.net>
Date: Thu Aug 22 11:52:01 2002

On Thu, 22 Aug 2002, Crispin Harris wrote:

> >One could also argue that according to the practice of only
> >allowing what is needed and blocking all else, some sort of
> >access control should be in place that prevents FTP traffic
> >from ever getting to that server. FTP traffic beyond that of
> >authorized servers should be denied at the perimeter. An
> >audit of your security practices would tell you whether you
> >have denied all FTP. A scanner can only tell you that host
> >w.x.y.z is running an FTP server and you can access it.
>
> This is a useful piece of information in itself, as it says 2 things directly,
> and several more indirectly:
> 1) FTP is not sufficiently limited.
> 2) w.x.y.z is running an FTP server.
> also:
> a) Your ingress filters are not correct
> b) Your ingress filters have probably not been reviewed recently (supposition)

there are so many companies that have no ingress filters, they as Marcus
will state not only don't care much about what passes inside, they
additionally have no clue as to what is passing inside.

>
> c) w.x.y.z is an "interesting system". This is grounds for a closer investigation.
>
> d) w.x.y.z's administrator is not complying with SecPol.

There are far too many companies that do not see this as anything of major
significance, we;ve seen so many messages in the lists over the years
about some admin or employee running so non-work related app from their
desktop or server that allows then to do instant messaging or share mp3's
across the perimiter...<Subject: How do I stop such and such traffic from
passing the firewall I'm charged with maintaining>

> e) system & network documentation is probably not accurate.
> f) how did w.x.y.z get onto a controlled network in the first place? (investigation/politics).
>

<smile> One major provider with a foot in the security realm has had
troubles getting folks to submit machines for the various security groups
stamps of complaince, due in part to the fact none of the requirements
were documented. I trying to locate documents for various groups I was
charged with supporting and auditing for complaince to the corp policies,
I made it up to the upper manager level of the various security related
groups only to hear; Yes, we have been planning for the last two to five
years now on getting that documentation together, but, we just have not
gotten around to it yet. Of course doing that documentation would impact
their web surfing...

>
> This is then an example of the usefulness of {port, network, vulnerability
> }scanners. Like any other tool, the use/existance of a particular tools should
> not be substituted for intelligence and/or informed investigation.
>

        [SNIP]

Thanks,

Ron DuFresne

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart
testing, only testing, and damn good at it too!