Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: Re: Proxy 2.0 secure?

Re: Proxy 2.0 secure?

From: David Newman <dnewman_at_cmp.com>
Date: Tue, 30 Jun 1998 23:41:43 -0400

Thomas,

I'm sorry you're attacking me, for we are actually in violent agreement
here. Let me remind you that I came in on this thread by *agreeing* with
you that running a finite, known set of attacks against a properly
configured device does *not* mean a device is secure.

Also, a clarification: ISS Safesuite has multiple modules, including one
that is intended for use against *firewalls,* not end-systems. It was this
firewall-specific module we used in our testing. I have no interest in ISS
Safesuite, nor have I ever represented it as encompassing the universe of
attacks a firewall would face.

dn

tqbf_at_pobox.com on 06/30/98 05:04:20 AM

Please respond to tqbf_at_pobox.com

To: David Newman/NYC/CMPNotes
cc: tqbf_at_pobox.com, firewall-wizards_at_nfr.net
Subject: Re: Proxy 2.0 secure?

> The article made clear that we did not in any way certify products as
> "secure," whatever that means. Our tests evaluated only whether properly

You stated that your methodology would not account for misconfiguration or
new attacks. I am stating that your methodology does not account for old
attacks, either, but rather only the specific incarnations of a specific
set of largely irrelevant (to a firewall) attacks generated by a network
testing tool designed to test end-systems and not firewalls. Your
disclaimer is thus seriously misleading.

> both very real problems, but beyond the scope of our test. I agree that
> scanners and IDS products are a good way of evaluating device
configuration
> (and I'm pleased to see you think IDS products are good for something ;-)

I do not think I-D is a good way of verifying device configuration; I
think that the use of I-D for config verification is seriously flawed.
Moreover, you did not use I-D tools in your test (or if you did, you
didn't document that in your article).

Additionally, I do not think IDS products based on passive network
analysis ("sniffing") are worth anything at all. I have no opinion about
any other form of I-D (and there are many others, some of which are
incarnated in very popular commercial packages); please do not
misunderstand this.

--------------------------------------------------------------------------- 

--
Thomas H. Ptacek                       SNI Labs, Network Associates, Inc.
---------------------------------------------------------------------------
--
http://www.pobox.com/~tqbf     "If you're so special, why aren't you dead?"
Received on Jul 01 1998
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos