Chris Lonvick wrote:
Several.Moving back into reality - if you could define the specifics for launching appropriate Nessus scans and for interpreting the results, how would you define the system under test? Running BGP during the scan will give different results than if BGP is disabled. Do you want to document all of the features that should be enabled and the expected result of a scan of that system so that a novice would be able to look at the results and determin if it "passed" or "failed"? What would be the expectation of a reader of the document if they set up their router in some proscribed manner and found that it "passed" the test, but then they enabled feature XYZ which is somehow affected by a Nessus scan? What do you do if you find that Nessus version "M" didn't actually check something but that was fixed in version "N"? I'll have to say that there are too many variables in the requirement for it to be an effective test. Trying to stabalize some of the variables will require extensive documentation and it could mean the loss of effectiveness of the test. I'll say that it is a good direction but I'm not certain how to quantify the test or the expecations of results. Thoughts?
Thanks,
Chris
On Tue, 22 Jul 2003, George Jones wrote:
OPSEC BOF - Operation Security Requirements forOK, this makes two vendors who strenuously objected to this
IP Network Elements Session
17 July 2003, IETF #57, Vienna
BS: (Bill Somerfeld, Sun) Vendors will have trouble
with 2.3.8. No vendor could comply with
2.3.8, it is too hard as written. GJ: admits that
2.3.8 needs work. BS: it is also a moving target!
requirement. I'd like feedback/discssion/suggested wording.
For the record, the requirement currently reads:
2.3.8 Ability to Withstand Well-Known Attacks and ExploitsOne of the first things I do with a new bit of equipment is take it
Requirement. The device MUST have an IP stack and operating system
that is robust enough to withstand well-known attacks and
exploits. For the purpose of this document, well-known attacks and
exploits are defined as those that have been published by the
following:
* Computer Emergency Response Team Coordination Center [CERT/CC]
Advisories
* Common Vulnerabilities and Exposures [CVE] entries
* Bugtraq [Bugtraq] postings
* Standard Nessus [Nessus] Plugins
* Vendor security bulletins for the device in question.
into the lab and hit it with nessus. What this requirement is saying
is "if a vendor hands me piece of equipment to test/buy/deploy that
has well known vulnerabilities/exploits, I (as the
customer/operator/purchaser) will fail it until the know problems are
fixed". I don't want to buy/use broken/breakable systems.
If I'm missing something please point it out.
I think last weeks little bug (http://www.cert.org/advisories/CA-2003-15.html)
and subsequent exploit (http://www.cert.org/advisories/CA-2003-17.html)
are people's exhibit #1 (no intention to pick on the particular
vendor). If today, July 22, 2003, said vendor were to bring me a new
piece of equipment for evaluation/deployment, and I were to take it
into the lab and find that it were vulnerable to CA-2003-15, I would
tell said vendor to take their equipment back and take a hike....but
fortunately in this case, said vendor appears to acting very
responsibly and is all over fixing the problem/mitigating the risk.
I would even argue that a simple nessus (or ISS, or whatever) scan
could, today, be strongly considered to be a Best Current Practice.
So, help me out. Show me where this is not reasonable and/or suggest
better wording.
---George