Home page logo

basics logo Security Basics mailing list archives

Re: Evaluating the security level of a firewall
From: "James Fields" <jvfields () tds net>
Date: Mon, 26 May 2003 13:27:18 -0400

It's not a matter of Nessus or any other tool being "good enough" - the
point goes back to what you friend said about being too busy.  I have a
limited number of hours per weeks.  I manage 8 firewalls, numerous IDS
sensors and maintain about 50 VPNs for my company.  I also am part of a team
responsible for managing our routers, switches, etc.  I do not have time to
research, on a regular basis, everything going on in the industry.

I've been told some companies hire security people who do nothing else - but
I've yet to work at such a place, and can't say what it would be like...

----- Original Message ----- 
From: "yannick'san" <yannicksan () free fr>
To: <security-basics () securityfocus com>
Sent: Saturday, May 24, 2003 11:24 AM
Subject: Evaluating the security level of a firewall

Hello folks,

Well, a couple of days ago, I had a strong discussion with friends about
to regularly evaluate the security level of a firewall.

First of all, everybody agreed that we can't install/configure a firewall
and then sleep and consider that everything behind it is in a secure area
In any security approach we have to think about the "life cycle" of the
firewall. thus, security managers has to plan for a recursive process for
regularly looking for its state and the vulnerabilities which could have
came out on it.
In fact, our discussion became very strong when we started to talk about
methods we were using for. They told me that they were only evaluating the
security level by regularly launching tools (like nessus) against their
firewall. So, somewhere in a procedure it was clearly written a sentance
like this one :

"We considere (today) that the firewall and its configuration is secure
according to the results given by nessus."... and that's all.

It seems that I was the only one to considere that we could not only
evaluate a security level regarding to the results given by this tool but
also had to look for vulnerabilities in CERTS or CVE. In case of a
0-vulnerability result, the tools will let us think that the security
is good while in fact it is completly wrong. I considered that it was a
wrong way of thinking and told them that my sentance will have been :

"We considere (today) that the firewall and its configuration is secure
according to the results given both by a search on CVE or CERTS databases
and the actual configuration and last update. Nessus (or other tools) are
used to improve our view but are not considered as sufficient."

I've been told that looking for CVE or CERTS vulnerabilities takes too
time for a lonely security manager who both has to deal with a lot of
equipments and other security stuffs. They said nessus give them a good
security view and without any security organisation to help them, the task
is too hard.

I answered that if a security manager can't take the time to check for
vulnerabilities in specific databases, he must write somewhere the reasons
and the security consequences of his choice.  Reason and security
consequences of just using tools like nessus. Our discussion about this
subject has covered subjects like process, procedures, methods, risk
analysis (especialy identification of the threats), security
but finaly I was told that most of companies do like them and my approach
was not used.

I would to know your point of view, your experiences, for exemple : do you
only use nessus (or anything else) and considere the results as valuable
Any comments (flame or not) is welcome :)

Thanks in advance.


Thinking About Security Training? You Can't Afford Not To!

Vigilar's industry leading curriculum includes:  Security +, Check Point,
Hacking & Assessment, Cisco Security, Wireless Security & more! Register
--UP TO 30% off classes in select cities-- 


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]