Merely scanning ports does not a security audit make. In fact, scanning
ports is one of the minimalist appraoches to an audit. The audit takes
much more into consideration, including how the folks on the network go
about doing their chores. Locking down the hosts and then letting some
admin telnet the world and toss the same passwords about in plain text
means yer still wide open to possible exploitation. all trust
relationships near the perimiter at the leat need to be assessed as well.
And this is still just touching the tip of the iceberg...
Thanks,
Ron Dufresne
On Tue, 14 Mar 2000, Paul D. Robertson wrote:
> On Mon, 13 Mar 2000, Larry wrote:
>
> > I need to be able to go to a customers site and do a Netwk/Security
> > audit and wondered if there was a piece of software that would do a pretty
> > good security audit out there ?
>
> If auditing software were good enough, there wouldn't be a reason for
> people to go to sites and do audits. The problem (mostly) *isn't*
> scanning boxes, it's knowing how things work and why- IOW interpreting the
> results.
>
> If you're looking for "a piece of software that would do a pretty good
> security audit", I personally think you shouldn't be trying to sell
> security audits. Questions like this *almost* make me change my mind
> about the whole certification debate [No Dave, you don't win yet.]
>
> Most commercial products and open source scanners are limited to "normal"
> IP. They don't touch a large number of other protocols that could
> have security implications, most of them don't touch routing protocol
> misconfiguration which is one of the best attack vectors out there, and a
> lot of the commercial products miss subtleties that aren't immediately
> apparent to those who would regurgitate their reports.
>
> IMNSHO, nmap is still the best scanner out there for IP. It doesn't do
> pretty graphs and it doesn't give you "might be right" assumptions, it
> gives you raw data. Older stacks have problems with some of its scans,
> and undoubtedly if you try to scan any network with old gear
> aggressively you'll bring something down sooner or later.
>
> If you want the point and click report thingie, just look at what everyone
> else is using for that.
>
> > If some one has a list to check by I would appreciate it, if your willing to
> > share.
>
> Auditors should be able to verify a network's security. That means they
> should know a *heck* of a lot about networking and security or have
> immediate access to someone who does. They also need to know a large
> ammount about current, past and future attacks and attack paterns.
> Lastly, they should have enough operational experience to be able to
> discuss the effects of interoperability or configuration issues.
>
> That's not static content, and any checklist that portends to be a full
> audit needs a heck of a lot of stuff behind it that passing it out doesn't
> produce out of thin air. If you can't make one, I think you'll have a
> heck of a time keeping one up to date. That said, a search on "Security
> Checklist" will turn up a few candidates. You also may want to read:
>
> http://www.nfr.net/firewall-wizards/mail-archive/1998/Mar/0052.html
>
> To paraphrase Marcus:
>
> "I'm not trying to attack you for asking a simple and straightforward
> question. But, I beg you, if you find a checklist, please don't think
> it's something you can apply in a simple and straightforward manner."
>
> Now maybe I'm mischaracterizing or misunderstanding your question, or
> maybe I'm not taking into account a long past history of INFOSEC
> experience that you have. But *If* I was looking for an auditor and I saw
> the above quesiton in a search, it'd make me think twice.
>
> Paul
> [DISCLAIMER: My current employer does some level of auditing/assurance
> work that may compete directly with such a service.]
> -----------------------------------------------------------------------------
> Paul D. Robertson "My statements in this message are personal opinions
> [EMAIL PROTECTED] which may have no basis whatsoever in fact."
> PSB#9280
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
