Evaluating the security level of a firewall

["yannick'san" <yannicksan () free fr>]

Hello folks,

Well, a couple of days ago, I had a strong discussion with friends about how
to regularly evaluate the security level of a firewall.

First of all, everybody agreed that we can't install/configure a firewall
and then sleep and consider that everything behind it is in a secure area .
In any security approach we have to think about the "life cycle" of the
firewall. thus, security managers has to plan for a recursive process for
regularly looking for its state and the vulnerabilities which could have
came out on it.
In fact, our discussion became very strong when we started to talk about the
methods we were using for. They told me that they were only evaluating the
security level by regularly launching tools (like nessus) against their
firewall. So, somewhere in a procedure it was clearly written a sentance
like this one :

"We considere (today) that the firewall and its configuration is secure
according to the results given by nessus."... and that's all.

It seems that I was the only one to considere that we could not only
evaluate a security level regarding to the results given by this tool but we
also had to look for vulnerabilities in CERTS or CVE. In case of a
0-vulnerability result, the tools will let us think that the security level
is good while in fact it is completly wrong. I considered that it was a
wrong way of thinking and told them that my sentance will have been :

"We considere (today) that the firewall and its configuration is secure
according to the results given both by a search on CVE or CERTS databases
and the actual configuration and last update. Nessus (or other tools) are
used to improve our view but are not considered as sufficient."

I've been told that looking for CVE or CERTS vulnerabilities takes too long
time for a lonely security manager who both has to deal with a lot of
equipments and other security stuffs. They said nessus give them a good
security view and without any security organisation to help them, the task
is too hard.

I answered that if a security manager can't take the time to check for
vulnerabilities in specific databases, he must write somewhere the reasons
and the security consequences of his choice.  Reason and security
consequences of just using tools like nessus. Our discussion about this
subject has covered subjects like process, procedures, methods, risk
analysis (especialy identification of the threats), security management,...,
but finaly I was told that most of companies do like them and my approach
was not used.

I would to know your point of view, your experiences, for exemple : do you
only use nessus (or anything else) and considere the results as valuable ??
Any comments (flame or not) is welcome :)

Thanks in advance.

-Yannick


---------------------------------------------------------------------------
Thinking About Security Training? You Can't Afford Not To!

Vigilar's industry leading curriculum includes:  Security +, Check Point, 
Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now!
--UP TO 30% off classes in select cities-- 
http://www.securityfocus.com/Vigilar-security-basics
----------------------------------------------------------------------------