[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Try this
Hi George,
( s/Trow/Throw/ :-)
How far from the DUT should the testor stand?
Should the CD be thrown frisbee-style or face-on?
If frisbee-style, forehand or backhand?
If face-on, overhand or underhand?
What force should be used to propel the CD?
If I merely "Observe the results" does this mean that the DUT will always
pass? What happens if it really does go down upon impact? I'm still
unsure what consititutes a pass/fail situation. If the paint on the DUT
were scratched to reveal yellow primer, would that be a cause for alarm?
The Security Considerations section really must include a warning about
eye protection.
Later,
Chris
On Thu, 31 Jul 2003, George Jones wrote:
> None. G. Jones
> Internet-Draft July 31, 2003
> Expires: January 29, 2004
>
>
> Procedures For Testing Network Equipment For Common Vulnerabilities
> draft-jones-use-nessus-00
>
> Status of this Memo
>
> This document is an Internet-Draft and is in full conformance with
> all provisions of Section 10 of RFC2026.
>
> Internet-Drafts are working documents of the Internet Engineering
> Task Force (IETF), its areas, and its working groups. Note that other
> groups may also distribute working documents as Internet-Drafts.
>
> Internet-Drafts are draft documents valid for a maximum of six months
> and may be updated, replaced, or obsoleted by other documents at any
> time. It is inappropriate to use Internet-Drafts as reference
> material or to cite them other than as "work in progress."
>
> The list of current Internet-Drafts can be accessed at http://
> www.ietf.org/ietf/1id-abstracts.txt.
>
> The list of Internet-Draft Shadow Directories can be accessed at
> http://www.ietf.org/shadow.html.
>
> This Internet-Draft will expire on January 29, 2004.
>
> Copyright Notice
>
> Copyright (C) The Internet Society (2003). All Rights Reserved.
>
> Abstract
>
> This document outlines procedures that may be used to test network
> equipment for well known vulnerabilities. This information is being
> provided to the Internet community in the hopes that network
> operators will adopt the procedures outlined as part of their normal
> practice during the procurement process and as part of ongoing
> security evaluation procedures. It is also hoped that vendors will
> adopt these procedures as part of their quality assurance procedures.
> The overall goals are increased awareness of and an reduction in the
> number of well known exposures in deployed network equipment.
>
> Please send comments to gmj@pobox.com.
>
>
>
>
>
> Jones Expires January 29, 2004 [Page 1]
>
> Internet-Draft Trust But Verify July 2003
>
>
> Table of Contents
>
> 1. Primary Vulnerability Detection Procedure . . . . . . . . . . . 3
> 2. Vendor Recommended Vulnerability Detection Procedure . . . . . . 4
> 3. Security Considerations . . . . . . . . . . . . . . . . . . . . 5
> References . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
> Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 6
> Intellectual Property and Copyright Statements . . . . . . . . . 7
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Jones Expires January 29, 2004 [Page 2]
>
> Internet-Draft Trust But Verify July 2003
>
>
> 1. Primary Vulnerability Detection Procedure
>
> o Use [Nessus].
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Jones Expires January 29, 2004 [Page 3]
>
> Internet-Draft Trust But Verify July 2003
>
>
> 2. Vendor Recommended Vulnerability Detection Procedure
>
> o Download the most recent version of Nessus.
>
> o Burn it onto a CD.
>
> o Trow the CD at the Device Under Test (DUT).
>
> o Observe the results.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Jones Expires January 29, 2004 [Page 4]
>
> Internet-Draft Trust But Verify July 2003
>
>
> 3. Security Considerations
>
> o The primary instructions assume intelligence on the part of the
> tester.
>
> o While the intent of these instructions is to assist network
> operators and vendors in assessing the security posture of devices
> that they, respectively, produce and deploy, detailed,
> easy-to-follow instructions listing methods of detecting (and
> possibly exploiting) vulnerabilities in networked devices could be
> misused by hackers to do Bad Things. This could be an argument
> (made, for instance, by your legal department) for not publishing
> detailed, easy to use instructions. However, see the assumption
> in the previous item...then ask yourself "how bright is your
> average hacker/script kiddie" and "do these recommendations
> *really* tell the bright hackers anything they didn't already know
> ?"
>
> o It is possible, though not likely, that widespread adoption of the
> procedures outlined in this memo will result in large sums of
> money flowing to (previously) poor, overworked open-source
> software developers, thus altering their development priorities in
> ways that result in fewer vulnerabilities being reported in the
> products of certain vendors.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Jones Expires January 29, 2004 [Page 5]
>
> Internet-Draft Trust But Verify July 2003
>
>
> References
>
> [Nessus] Deraison, R., "Nessus Security Scanner", 2003, <http://
> www.nessus.org>.
>
>
> Author's Address
>
> George M. Jones
>
>
>
> Phone:
> EMail: gmj@pobox.com
> URI: http://www.port111.com/george/
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Jones Expires January 29, 2004 [Page 6]
>
> Internet-Draft Trust But Verify July 2003
>
>
> Intellectual Property Statement
>
> The IETF takes no position regarding the validity or scope of any
> intellectual property or other rights that might be claimed to
> pertain to the implementation or use of the technology described in
> this document or the extent to which any license under such rights
> might or might not be available; neither does it represent that it
> has made any effort to identify any such rights. Information on the
> IETF's procedures with respect to rights in standards-track and
> standards-related documentation can be found in BCP-11. Copies of
> claims of rights made available for publication and any assurances of
> licenses to be made available, or the result of an attempt made to
> obtain a general license or permission for the use of such
> proprietary rights by implementors or users of this specification can
> be obtained from the IETF Secretariat.
>
> The IETF invites any interested party to bring to its attention any
> copyrights, patents or patent applications, or other proprietary
> rights which may cover technology that may be required to practice
> this standard. Please address the information to the IETF Executive
> Director.
>
>
> Full Copyright Statement
>
> Copyright (C) The Internet Society (2003). All Rights Reserved.
>
> This document and translations of it may be copied and furnished to
> others, and derivative works that comment on or otherwise explain it
> or assist in its implementation may be prepared, copied, published
> and distributed, in whole or in part, without restriction of any
> kind, provided that the above copyright notice and this paragraph are
> included on all such copies and derivative works. However, this
> document itself may not be modified in any way, such as by removing
> the copyright notice or references to the Internet Society or other
> Internet organizations, except as needed for the purpose of
> developing Internet standards in which case the procedures for
> copyrights defined in the Internet Standards process must be
> followed, or as required to translate it into languages other than
> English.
>
> The limited permissions granted above are perpetual and will not be
> revoked by the Internet Society or its successors or assignees.
>
> This document and the information contained herein is provided on an
> "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
> TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
> BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
>
>
>
> Jones Expires January 29, 2004 [Page 7]
>
> Internet-Draft Trust But Verify July 2003
>
>
> HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
> MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
>
>
> Acknowledgment
>
> Funding for the RFC Editor function is currently provided by the
> Internet Society.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Jones Expires January 29, 2004 [Page 8]
>
>
>
- References:
- Try this
- From: George Jones <gmj@pobox.com>