On 7 Apr 99, at 15:30, [EMAIL PROTECTED] wrote:
> > -----Urspr�ngliche Nachricht-----
> > Von: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]]
> > Gesendet am: Mittwoch, 7. April 1999 03:39
> > An: [EMAIL PROTECTED]
> > Cc: [EMAIL PROTECTED]
> > Betreff: Re: AW: Hacking Contest ?
> >
> > On 6 Apr 99, at 15:08, [EMAIL PROTECTED] wrote:
> >
> > > > -----Urspr�ngliche Nachricht-----
> > > > Von: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]]
> > > > Gesendet am: Mittwoch, 31. M�rz 1999 16:22
> > > >
> > > > Dude, are you nuts. In essence, you are asking a pack of wolves to
> > help
> > > > you protect your sheep farm. Hire a reliable and trustworthy group
> > like
> > > > Network Security Solutions to do this.
> > >
> > > [Kunz, Peter] What do you folks think of the IT wings of the big 5
> > > auditing frims offering penetration testing?
> >
> > It's a tough call. On the one hand, it's useful to have the
> > penetration test done by someone other than the security admins, so you
> > get a realistic exercise.
> >
> [Kunz, Peter] And who would be the proper entity for such testing?
Many security firms offer this ind of service, as do IBM and some of the
large accounting-consulting firms.
> > On the other hand, paid intruders are usually bound by an agreement
> > not to "damage" the system, and this limits the extent to which they
> > can test for real-world vulnerabilities. They'll easily uncover a
> >
> [Kunz, Peter] Only DoS? How small is the error?
Even DoS, because it would impact customers' use of the system, has been
off-limits....
> > network that is totally unprotected, but probably cannot discriminate
> > well between "protected", "hardened", and "locked down".
> >
> [Kunz, Peter] How would you define these?
In our most recent test, the "intruders" were able to identify each
externally-visible server and what services we provide connectivity
for. But, for example, on our HTTP server, they were unable to
identify the specific OS and server implementations, and whether these
were ir were not up to date on patches/service packs.
So, if they had been able to get to telnet, finger, etc, on that
server, they would have been able to report that we were wide open.
But they could not (did not) do anything distinguish between our having
shut off unnecessary services, and our having ongoing security
maintenance of the services we do provide. The base page provided from
our server is a login page -- we never saw any attempt to verify or
crack this layer of security at all.
I don't know what the right answer is. The most reliable way to
determine if the production network is vulnerable to attack X is to try
attack X on it and see if it works. But in the typical situation where
successful attacks are not an acceptible consequence of testing, it is
essentially impossible to certify a site as immune to any given attack.
It's a hard problem.
David G
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
