In a previous life I've seen Coopers and Lybrand's so-called security
evaluation. To put it politely, I was not impressed. For our UNIX
servers, they wanted a printout of the file permissions for every file
on every system. I guess they never heard of 'find'. They missed NFS
permission problems (like export *WORLD* *WRITABLE*), they missed that
databases were *WORLD* *WRITABLE*, they missed a lot of basic hole
checking. But, they were improving. The first time I met with them
they didn't ask for any file permissions.
Note: I say the above, and I say everything as an individual. I am
not now, or ever have been a spokesman for where I work now.
______________________________ Reply Separator _________________________________
Subject: Re: Microsoft plans to offer a firewall
Author: "osiris @
pacificnet .
net" <osiris @
pacificnet .
net> at INTERNET
Date: 7/3/97 12:25 AM
Yeah, incredible but true. However, for those that are genuinely
interested, the full URL to that document is here:
http://www.microsoft.com/proxy/common/Coopers.exe
A few noteworthy points...According to M$:
"Coopers & Lybrand LLP (C&L) conducted a four phase
evaluation program that reviewed Installation, Configuration,
Security Feature Analysis, and Penetration Testing in an
effort to "unearth" any security vulnerabilities of Microsoft
Proxy Server."
C&L claim that the product withstood attacks from "...well-known and
well documented tools, such as the public domain tools Internet Security
Scanner and Satan..." Immediately following this, C&L advises that
"...without careful installation, monitoring, and observation, any
computing product or system may be vulnerable to exploitation..." In
other words, "..we evaluated this product, but we cannot vouch for it,
nor place our reputation on the line."
Moreover (and even more incredibly) C&L go on to say that the Proxy
Server uses NT 4.0 as its platform and therefore, 4.0's IP forwarding
"may" present some security issues. Let me repeat that: IP forwarding
MAY present some security issues.
Whatever. Meanwhile, are they saying that if a target survives a scan by
SafeSuite or SATAN, that it's okay? (Maybe Ballista would have been a
better choice as it is a more recent development. I wonder, did they try
scanning it with Jakal?) Okay enough to give it this "Security Seal of
Approval" that M$ is parading around? Hahahaha. Not the Security Seal of
Approval. Anything but that. That - and about 1.75 - will get you...Received: from pa0016c4.kpmg.com (130.100.150.27) by mailgate1.kpmg.com with
SMTP
(IMA Internet Exchange 2.1 Enterprise) id 00054C09; Thu, 3 Jul 97 15:01:07
-0400
Received: from pa0016c1.kpmg.com by pa0016c4.kpmg.com(8.7.3/8.7.3) with ESMTP id
OAA19385 for <kenng @
kpmg .
com>; Thu, 3 Jul 1997 14:55:55 -0400 (EDT)
Received: by pa0016c1.kpmg.com; id OAA20198; Thu, 3 Jul 1997 14:56:38 -0400
(EDT)
Received: from relay2.uu.net(192.48.96.7) by pa0016c1.kpmg.com via smap (3.2)
id xma020133; Thu, 3 Jul 97 14:56:34 -0400
Received: from honor.greatcircle.com by relay2.UU.NET with ESMTP
(peer crosschecked as: [198.102.244.44])
id QQcwqd12965; Thu, 3 Jul 1997 14:55:26 -0400 (EDT)
Received: (majordom @
localhost) by honor.greatcircle.com
(8.8.5/Honor-Lists-970308-1) id AAA05792 for firewalls-outgoing; Thu, 3 Jul 1997
00:16:20 -0700 (PDT)
Received: from polaris.pacificnet.net (polaris.pacificnet.net [207.171.0.250])
by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA05747 for
<firewalls @
GreatCircle .
COM>; Thu, 3 Jul 1997 00:16:09 -0700 (PDT)
Received: from default (pm14-11.pacificnet.net [207.171.10.44])
by polaris.pacificnet.net (8.8.5/8.8.5) with SMTP id AAA23923;
Thu, 3 Jul 1997 00:09:44 -0700 (PDT)
Message-ID: <33BB53E7 .
583F @
pacificnet .
net>
Date: Thu, 03 Jul 1997 00:25:27 -0700
From: "osiris @
pacificnet .
net" <osiris @
pacificnet .
net>
Reply-To: osiris @
pacificnet .
net
X-Mailer: Mozilla 3.01 (Win95; I)
MIME-Version: 1.0
To: Harry Mantakos <harry @
meretrix .
com>
CC: firewalls @
GreatCircle .
COM
Subject: Re: Microsoft plans to offer a firewall
References: <199707030318 .
XAA11240 @
kiri .
meretrix .
com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner @
GreatCircle .
COM
Precedence: bulk
Follow-Ups:
|
|
