From: Peter Manis (manis@digital39.com)
Date: Wed Aug 15 2007 - 05:21:49 EDT
It's official, I have a lot to learn about networking, haha
When you mention making sure the OS is as close as possible are you
speaking about the guest to the host, or the tester's machine and the
victim VM?
If you are using physical network hardware with virtual machines will
the lack of the physical machines effect any of the tests?
You mention not virtualizing the network, can using one of the Cisco
IOS emulators like dynamips have any benefit? I guess it is the same
thing as virtualizing, but in a situation like mine where I don't have
access to 9 models of Cisco. Would it work well enough to learn a
little about attacking the various models? I am looking at a buying 1
or 2 Cisco 2950s and a router (any recommendations on model?) to work
with, but I am a programmer so I would not be around any other models
very often.
Thanks everyone,
Pete
On 8/15/07, Pete Herzog <lists@isecom.org> wrote:
> Hi,
>
> Over the last 6 years we have studied the differences of tests against
> various platforms of virtual and real systems. This has led us to making
> the best possible test network we can for the OPST and OPSA certification
> exams. What we have found is that there is a large difference between them
> on the network packet level but almost none on the application level
> (although various application tests do rely on the encapsulating protocol
> so YMMV).
>
> What's most important is the the tester's machine is NOT virtual. Because
> the low-level problems at packet level do multiply during testing multiple
> systems. However for a complete lab set up, make sure your virtual systems
> are as close to the OS as possible- kernel level preferably, or else use
> the real thing directly on metal. If you will only be doing application
> tests, then it probably matters very little and go with your higher level
> virtual machines.
>
> One final note, as Jerry mentions, make sure your network devices are real!
> Don't try to virtualize networking because it is very complicated and
> will look very fake. We tested virtual networks and virtual networking but
> such systems could not handle team traffic (low-to-medium traffic) without
> producing errors. If you want to virtualize port forwards and simple hops,
> you can et away with that between low-level virtualized machines but don't
> try to duplicate anything else or else your error rate will compound and
> make your analysis practically worthless.
>
> Sincerely,
> -pete.
>
>
> Shenk, Jerry A wrote:
> > I've found a few tests that worked against virtual machines but did not
> > work against real machines. I agree, in most cases, there really is no
> > difference.
> >
> > I also have some routers in my lab. That way, I can set up egress
> > filtering between the servers and the attackers in the lab. That will
> > help you get some realism about some things, particularly local exploits
> > of machines inside the network (like an Exchange client attack). I
> > think that also increases your credibility when talking with
> > clients...for example, "In the lab, we set up egress filtering...blah,
> > blah, blah...and with the filtering enabled, the remote exploit of the
> > Exchange client worked in that it crashed the client but it made it much
> > more difficult to get to a command-prompt on that box." That's not
> > really part of the pen-test itself but the real goal of the pen-test is
> > to make the network more secure and it definitely goes toward explaining
> > to the client how to make their network more secure.
> >
>
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:02 EDT