Home page logo

basics logo Security Basics mailing list archives

Re: Evaluating the security level of a firewall
From: James Taylor <james_n_taylor () yahoo com>
Date: Mon, 26 May 2003 18:25:46 -0700 (PDT)


I suppose the thing to bear in mind is that the company
directors and board are liable if there is a breach, so
ultimately the responsibility is with them to approve the

Part of all 'life-cycles' is the operations & maintenance
bit at the end. By limiting themselves to just testing with
nessus they are effectively 'clipping' the testing
parameters, making assumptions and closing out other
possible threats, including some of which are, of course,
non-technical. It's too true that people go to the trouble
of installing expensive security
hardware/software/training/consultancy, then cut corners by
not looking after it exposing themselves to attack by
closing their eyes. The maintenance bit is part of the cost
of the solution and should be built into the plan from the

If I was the security manager I would be doing everything
in my power to ensure that I was aware of all
vulnerabilities of my equipment, and would build these
tests/checks into the security administrators monthly
maintenance plan. It is just part of their role and
resource needs to be allocated as such. He/she sould make
management aware of resource shortfall (and may get a
bashing for not predicting it at implementation).

How long does it take to subscribe to the manufacturers
mailing list, search bugtraq/Certs/CVE against the name of
the protecting device/software and run any tests once a
month? 2-3 hours, perhaps? They will already be updating
the nessus database and keeping an an eye on the
OS/firewall patch levels. 

Present the options to senior management, explain the cost
and risks of *not* implementing/checking and let them
decide. If I were on the board, for the sake of peace of
mind, I would make sure there was resource available to
gather as much information about the solutions as possible.
In fact, it's probably part of the security manager’s job
description already.

Nessus is a very valuable tool, but only part of the
protection arsenal. It's difficult to comment on 'companies
like them', as normally the protection implemented depends
on the value of the data, and the cost of protecting it.
Who cares what other companies are doing anyway, it's not
their data you are protecting. Checking all possible
sources of information and using many available penetration
tools is, however, relatively cheap. Depending on the value
of the data, I would suggest that yearly penetration test
by an independent company would be of benefit and not
necessarily as cost-prohibitive as one may think.

What about "We undertake to test the firewall configuration
using all reasonable means currently available to the
company. From a technical perspective, this will include
ensuring that all patch levels and security parameters are
set to the manufacturer recommended levels, monthly testing
with de-facto vulnerability scanners (such as
nessus/xxx/xxx), extensive search of vulnerability lists
(such as CET/Bugtraq/xxx). From a non-technical perspective
we will employ strict change control, regular policy &
procedure re-evaluation and other administrative methods to
ensure our firewall policy is acceptable to the company. By
taking all reasonable steps freely available to us, we can
place a high level of confidence in the security mechanisms
in place at the time of examination"


--- yannick'san <yannicksan () free fr> wrote:
Hello folks,

Well, a couple of days ago, I had a strong discussion
with friends about how
to regularly evaluate the security level of a firewall.

First of all, everybody agreed that we can't
install/configure a firewall
and then sleep and consider that everything behind it is
in a secure area .
In any security approach we have to think about the "life
cycle" of the
firewall. thus, security managers has to plan for a
recursive process for
regularly looking for its state and the vulnerabilities
which could have
came out on it.
In fact, our discussion became very strong when we
started to talk about the
methods we were using for. They told me that they were
only evaluating the
security level by regularly launching tools (like nessus)
against their
firewall. So, somewhere in a procedure it was clearly
written a sentance
like this one :

"We considere (today) that the firewall and its
configuration is secure
according to the results given by nessus."... and that's

It seems that I was the only one to considere that we
could not only
evaluate a security level regarding to the results given
by this tool but we
also had to look for vulnerabilities in CERTS or CVE. In
case of a
0-vulnerability result, the tools will let us think that
the security level
is good while in fact it is completly wrong. I considered
that it was a
wrong way of thinking and told them that my sentance will
have been :

"We considere (today) that the firewall and its
configuration is secure
according to the results given both by a search on CVE or
CERTS databases
and the actual configuration and last update. Nessus (or
other tools) are
used to improve our view but are not considered as

I've been told that looking for CVE or CERTS
vulnerabilities takes too long
time for a lonely security manager who both has to deal
with a lot of
equipments and other security stuffs. They said nessus
give them a good
security view and without any security organisation to
help them, the task
is too hard.

I answered that if a security manager can't take the time
to check for
vulnerabilities in specific databases, he must write
somewhere the reasons
and the security consequences of his choice.  Reason and
consequences of just using tools like nessus. Our
discussion about this
subject has covered subjects like process, procedures,
methods, risk
analysis (especialy identification of the threats),
security management,...,
but finaly I was told that most of companies do like them
and my approach
was not used.

I would to know your point of view, your experiences, for
exemple : do you
only use nessus (or anything else) and considere the
results as valuable ??
Any comments (flame or not) is welcome :)

Thanks in advance.


Thinking About Security Training? You Can't Afford Not

Vigilar's industry leading curriculum includes:  Security
+, Check Point, 
Hacking & Assessment, Cisco Security, Wireless Security &
more! Register Now!
--UP TO 30% off classes in select cities-- 


Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]