[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Try this

To: George Jones <gmj@pobox.com>
Subject: Re: Try this
From: Chris Lonvick <clonvick@cisco.com>
Date: Thu, 31 Jul 2003 18:36:13 -0700 (PDT)
Cc: "Smith, Donald" <Donald.Smith@qwest.com>, <opsec@ops.ietf.org>
In-reply-to: <Pine.LNX.4.53.0307312022060.17107@mall.pulltheplug.com>
Hi George,

( s/Trow/Throw/  :-)

How far from the DUT should the testor stand?
Should the CD be thrown frisbee-style or face-on?
If frisbee-style, forehand or backhand?
If face-on, overhand or underhand?
What force should be used to propel the CD?

If I merely "Observe the results" does this mean that the DUT will always
pass?  What happens if it really does go down upon impact?  I'm still
unsure what consititutes a pass/fail situation.  If the paint on the DUT
were scratched to reveal yellow primer, would that be a cause for alarm?

The Security Considerations section really must include a warning about
eye protection.

Later,
Chris


On Thu, 31 Jul 2003, George Jones wrote:

> None.                                                           G. Jones
> Internet-Draft                                             July 31, 2003
> Expires: January 29, 2004
>
>
>   Procedures For Testing Network Equipment For Common Vulnerabilities
>                        draft-jones-use-nessus-00
>
> Status of this Memo
>
>    This document is an Internet-Draft and is in full conformance with
>    all provisions of Section 10 of RFC2026.
>
>    Internet-Drafts are working documents of the Internet Engineering
>    Task Force (IETF), its areas, and its working groups. Note that other
>    groups may also distribute working documents as Internet-Drafts.
>
>    Internet-Drafts are draft documents valid for a maximum of six months
>    and may be updated, replaced, or obsoleted by other documents at any
>    time. It is inappropriate to use Internet-Drafts as reference
>    material or to cite them other than as "work in progress."
>
>    The list of current Internet-Drafts can be accessed at http://
>    www.ietf.org/ietf/1id-abstracts.txt.
>
>    The list of Internet-Draft Shadow Directories can be accessed at
>    http://www.ietf.org/shadow.html.
>
>    This Internet-Draft will expire on January 29, 2004.
>
> Copyright Notice
>
>    Copyright (C) The Internet Society (2003). All Rights Reserved.
>
> Abstract
>
>    This document outlines procedures that may be used to test network
>    equipment for well known vulnerabilities. This information is being
>    provided to the Internet community in the hopes that network
>    operators will adopt the procedures outlined as part of their normal
>    practice during the procurement process and as part of ongoing
>    security evaluation procedures.   It is also hoped that vendors will
>    adopt these procedures as part of their quality assurance procedures.
>    The overall goals are increased awareness of and an reduction in the
>    number of well known exposures in deployed network equipment.
>
>    Please send comments to gmj@pobox.com.
>
>
>
>
>
> Jones                   Expires January 29, 2004                [Page 1]
>
> Internet-Draft              Trust But Verify                   July 2003
>
>
> Table of Contents
>
>    1. Primary Vulnerability Detection Procedure  . . . . . . . . . . . 3
>    2. Vendor Recommended Vulnerability Detection Procedure . . . . . . 4
>    3. Security Considerations  . . . . . . . . . . . . . . . . . . . . 5
>       References . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
>       Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 6
>       Intellectual Property and Copyright Statements . . . . . . . . . 7
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Jones                   Expires January 29, 2004                [Page 2]
>
> Internet-Draft              Trust But Verify                   July 2003
>
>
> 1. Primary Vulnerability Detection Procedure
>
>    o  Use [Nessus].
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Jones                   Expires January 29, 2004                [Page 3]
>
> Internet-Draft              Trust But Verify                   July 2003
>
>
> 2. Vendor Recommended Vulnerability Detection Procedure
>
>    o  Download the most recent version of Nessus.
>
>    o  Burn it onto a CD.
>
>    o  Trow the CD at the Device Under Test (DUT).
>
>    o  Observe the results.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Jones                   Expires January 29, 2004                [Page 4]
>
> Internet-Draft              Trust But Verify                   July 2003
>
>
> 3. Security Considerations
>
>    o  The primary instructions assume intelligence on the part of the
>       tester.
>
>    o  While the intent of these instructions is to assist network
>       operators and vendors in assessing the security posture of devices
>       that they, respectively, produce and deploy, detailed,
>       easy-to-follow instructions listing methods of detecting (and
>       possibly exploiting) vulnerabilities in networked devices could be
>       misused by hackers to do Bad Things.  This could be an argument
>       (made, for instance, by your legal department) for not publishing
>       detailed, easy to use instructions.  However, see the assumption
>       in the previous item...then ask yourself "how bright is your
>       average hacker/script kiddie" and "do these recommendations
>       *really* tell the bright hackers anything they didn't already know
>       ?"
>
>    o  It is possible, though not likely, that widespread adoption of the
>       procedures outlined in this memo will result in large sums of
>       money flowing to (previously) poor, overworked open-source
>       software developers, thus altering their development priorities in
>       ways that result in fewer vulnerabilities being reported in the
>       products of certain vendors.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Jones                   Expires January 29, 2004                [Page 5]
>
> Internet-Draft              Trust But Verify                   July 2003
>
>
> References
>
>    [Nessus]  Deraison, R., "Nessus Security Scanner", 2003, <http://
>              www.nessus.org>.
>
>
> Author's Address
>
>    George M. Jones
>
>
>
>    Phone:
>    EMail: gmj@pobox.com
>    URI:   http://www.port111.com/george/
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Jones                   Expires January 29, 2004                [Page 6]
>
> Internet-Draft              Trust But Verify                   July 2003
>
>
> Intellectual Property Statement
>
>    The IETF takes no position regarding the validity or scope of any
>    intellectual property or other rights that might be claimed to
>    pertain to the implementation or use of the technology described in
>    this document or the extent to which any license under such rights
>    might or might not be available; neither does it represent that it
>    has made any effort to identify any such rights. Information on the
>    IETF's procedures with respect to rights in standards-track and
>    standards-related documentation can be found in BCP-11. Copies of
>    claims of rights made available for publication and any assurances of
>    licenses to be made available, or the result of an attempt made to
>    obtain a general license or permission for the use of such
>    proprietary rights by implementors or users of this specification can
>    be obtained from the IETF Secretariat.
>
>    The IETF invites any interested party to bring to its attention any
>    copyrights, patents or patent applications, or other proprietary
>    rights which may cover technology that may be required to practice
>    this standard. Please address the information to the IETF Executive
>    Director.
>
>
> Full Copyright Statement
>
>    Copyright (C) The Internet Society (2003). All Rights Reserved.
>
>    This document and translations of it may be copied and furnished to
>    others, and derivative works that comment on or otherwise explain it
>    or assist in its implementation may be prepared, copied, published
>    and distributed, in whole or in part, without restriction of any
>    kind, provided that the above copyright notice and this paragraph are
>    included on all such copies and derivative works. However, this
>    document itself may not be modified in any way, such as by removing
>    the copyright notice or references to the Internet Society or other
>    Internet organizations, except as needed for the purpose of
>    developing Internet standards in which case the procedures for
>    copyrights defined in the Internet Standards process must be
>    followed, or as required to translate it into languages other than
>    English.
>
>    The limited permissions granted above are perpetual and will not be
>    revoked by the Internet Society or its successors or assignees.
>
>    This document and the information contained herein is provided on an
>    "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
>    TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
>    BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
>
>
>
> Jones                   Expires January 29, 2004                [Page 7]
>
> Internet-Draft              Trust But Verify                   July 2003
>
>
>    HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
>    MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
>
>
> Acknowledgment
>
>    Funding for the RFC Editor function is currently provided by the
>    Internet Society.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Jones                   Expires January 29, 2004                [Page 8]
>
>
>
References:
- Try this
  - From: George Jones <gmj@pobox.com>
Prev by Date: Try this
Next by Date: RE: Dropping stealthing from opsec; Anyone for a little I>R<TF work ?
Previous by thread: Try this
Next by thread: RE: Dropping stealthing from opsec; Anyone for a little I>R<TF work ?
Index(es):
- Date
- Thread