mailing list archives
Re: [PEN-TEST] NAT / Stateful Packet Inspection Questions
From: Deri Jones <Deri.Jones () NTA-MONITOR COM>
Date: Wed, 27 Sep 2000 18:20:15 +0100
At 11:27 27/09/00 -0400, you wrote:
The network has no remote access points (it does not have a VPN or any
Dial-Up Servers). It has only a sever, router, & firewall.
You don't say what brand/version of firewall.
Talking about the theory of NAT/SPI etc is useful, but in the real world,
it's the real products that count. Many products add extra 'management'
functionality and stuff, that can make two NAT boxes totally different.
You also don't say what services you do intend to allow through the
firewall - the less you allow, the less scope for problems.
Lastly, testing also needs to be more than justa 'firewall' test - test the
router (it's outside the FW's protection), test all the servers that are
publicly visible (letting SMTP through to an email server that allows mail
relaying opens you up to be through-spammed, no matter the firewall is
Pen testing is not as romantic as some would suggest - alot of it is
ploughing boringly through *alot* of tests.
You might also wonder, whether it would also be helpful to your friend to
in some experienced testers, and you can observe and help out. It would be
a shame to have saved your friend a few bucks by you doing the job, only for
him to have problems in an area just beyond the horizon where you had