Re: [fw-wiz] Multiple firewalls ruleset bypass through FTP. Again. (CERT VU#328867)

From: Al Potter (apotter@icsalabs.com)
Date: 10/09/02 

To: "R. DuFresne" <dufresne@sysinfo.com>
From: Al Potter <apotter@icsalabs.com>
Date: Wed Oct  9 16:24:29 2002

Ron, listmembers, et al:

<trimmed greatly for brevity sake, but quoted directly>

dufresne@sysinfo.com said:

dufresne@sysinfo.com said:
> Getting vendors to work with researchers in such instances would be a
> grand thing<TM> as opposed to reckless threats of legal retribution
> after they have been advised of the issues by the researcher<s> who
> discovered the issues.

I would like to point something out which folks may not understand, but
find a little interesting about the relationship ICSA Labs has with its
vendors (our customers):

Assume a vendor is participating in our program, and attains certification
(many do not). From that point in time, going forward until when the
product is withdrawn from the market, or the the vendor withdraws from the
program, the certified product is under ICSA Labs scrutiny and subject to
retest.

If we find (through our own investigation, or with subtle assistance like
that provided by Mikael Olssen) that the product is no longer in
compliance with certification requirements (see criteria link below), we
communicate this to the vendor and ask for configuration assistance,
assuming that we have misconfigured the product. 8-)

In the event that the product actually has a problem, the vendor is given
a formal deadline to bring the product back into compliance, or face loss
of certification.

In the past, and I have been personally involved with the firewall testing
and certification program at ICSA Labs since early 1997, this has proved
to be VERY effective. Unfortunately, this all happens "behind the
curtain" in almost every case, so the security community may not be aware
of it going on.

I would also like to point out that because we have a business
relationship with our customers, ie money changes hands, we have good,
current lines of communication with our vendors almost all of the time.

While we cannot make a blanket offer to test any and all issues reported
against any and all of our vendor's products (we juggle finite resources
like everybody else), we WILL offer to engage in a dialog with any
researcher who thinks she has found something "interesting" related to
one of our customer's products, and will offer to broker communications
between any researcher and any of our customers.

dufresne@sysinfo.com said:
> And we certainly could use more Mikeal's in this world.

Amen...

AL

If is isn't already obvious, I work for ICSA Labs

Firewall Criteria: www.icsalabs.com/html/communities/firewalls/index.shtml
We are currently testing against the 4.0 version of the criteria. 

-- 
+------------------------------------------------------------------------+
| Al Potter                                                              |
| Manager, Network Security Labs                                         |
| ICSA Labs                                         apotter@icsalabs.com |
| www.icsalabs.com                                PGP Key ID: 0x58c95451 |
+------------------------------------------------------------------------+

Relevant Pages

  • Re: Linux certification
    ... Quality of tests combined with throwing the baby out with the ... still several certification methods for doctors going around. ... handle the vendor specific differences and check off a box on the ... RHCE plus zero years of experience beats any other cert plus zero. ...
    (comp.unix.admin)
  • Certify Dumps is the best resource available online today for IT Professionals
    ... Training resource for every major vendor and their Certification ... impart complete training to the students to get through exam of any ...
    (microsoft.public.cert.exam.mcse)
  • Re: Training question
    ... I am the owner of an IT training company, so I offer this advice from a ... MS Certification classes aren't always the way to go. ... then you can't compare from vendor to vendor. ... There are good instructors and bad instructors, ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Seeking views on importance of certification
    ... I found this to be true of the A+ certification when it was ... With your desire to move into the security area I'd ... If you do a whois lookup for securitycertified.net, ... I wouldn't consider to take any certification from a vendor ...
    (Security-Basics)
  • Re: [Full-disclosure] Re: [WEB SECURITY] Cross Site Scripting in Google
    ... I personally also believe in full disclosure, but it has to be delivered ... without even attempting to contact the vendor is clearly not in the best ... Folks like "nsnake" a lot of the time don't give a crap about the ... has been given bad treatment in the eyes of the researcher. ...
    (Full-Disclosure)