RE: Vulnerability analysis tools
From: Aaron C. Newman (Application Security, Inc.) (anewman@appsecinc.com)Date: 01/24/02
- Previous message: Baba Bogdan: "Re: Limitation for data downloaded"
- In reply to: Mário: "Vulnerability analysis tools"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Aaron C. Newman (Application Security, Inc.)" <anewman@appsecinc.com> To: "Mario Behring" <mariobehring@yahoo.com>, <security-basics@lists.securityfocus.com> Date: Thu, 24 Jan 2002 13:31:11 -0500
Mario,
>- Should I create a DMZ and put this DB server there ?
Definitely you want your Oracle database behind a firewall. Even Oracle will
tell you the database is not meant to be exposed to the internet directly.
Lots of pretty simple DOS attacks if you aren't totally patched and even
more serious attacks exist in the external procedure server, listener, and
database instance.
From the database perspective, you can download a free evaluation of
AppDetective for Oracle from www.oraclesecurity.net. It does pen testing and
va against an Oracle database. Takes both an inside-out (security from valid
user perspective) and outside-in approach (security from unauthorized
attacker perspective).
Regards,
Aaron
____________________________________________
Aaron C. Newman
CTO/Founder
Application Security, Inc.
Tel: 212-490-6022
Fax: 212-490-6456
E-mail: anewman@appsecinc.com
Web: http://www.appsecinc.com
- Protection Where it Counts -
-----Original Message-----
From: Mario Behring [mailto:mariobehring@yahoo.com]
Sent: 22 January 2002 07:52
To: security-basics@lists.securityfocus.com
Subject: Vulnerability analysis tools
Hi list,
Does anybody know some good tool for testing a small environment for
vulnerabilities ?
I have the following scenario:
1- A web server hosted at an IDC (Internet Data Center)
2- A router connected to the IDC via a link (T1 or something)
3- One Microsoft ISA Server running as a firewall with 2 NICs, one
connected to the Router described on item 2 and the other connected to the
internal network.
4- A Database server - Oracle running on Windows 2000 Server in the
internal network. This DB will be accessed by Internet users that visit
the website (located at the web server described in item 1) depending on
the options they choose at the web page.
I need to analyse the vulnerabilities in such a scenario and report them.
Is there any tool (freeware or not) that analyse this scenario from
various points of view ? For instance, I have to analyse this from the
perspective of someone accessing the web page and then accessing the DB
server at the internal network.
I have some other questions:
- Should I put a real firewall in place (Firewall-1 or Raptor for example)
instead of this ISA Server ?
- Should I create a DMZ and put this DB server there ?
Thanks in advance.
Mario
__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/
- Previous message: Baba Bogdan: "Re: Limitation for data downloaded"
- In reply to: Mário: "Vulnerability analysis tools"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
