Re: Lab OS Choices

From: Pete Herzog (lists@isecom.org)
Date: Wed Aug 15 2007 - 04:32:43 EDT


Hi,

Over the last 6 years we have studied the differences of tests against
various platforms of virtual and real systems. This has led us to making
the best possible test network we can for the OPST and OPSA certification
exams. What we have found is that there is a large difference between them
on the network packet level but almost none on the application level
(although various application tests do rely on the encapsulating protocol
so YMMV).

What's most important is the the tester's machine is NOT virtual. Because
the low-level problems at packet level do multiply during testing multiple
systems. However for a complete lab set up, make sure your virtual systems
are as close to the OS as possible- kernel level preferably, or else use
the real thing directly on metal. If you will only be doing application
tests, then it probably matters very little and go with your higher level
virtual machines.

One final note, as Jerry mentions, make sure your network devices are real!
  Don't try to virtualize networking because it is very complicated and
will look very fake. We tested virtual networks and virtual networking but
such systems could not handle team traffic (low-to-medium traffic) without
producing errors. If you want to virtualize port forwards and simple hops,
you can et away with that between low-level virtualized machines but don't
try to duplicate anything else or else your error rate will compound and
make your analysis practically worthless.

Sincerely,
-pete.

Shenk, Jerry A wrote:
> I've found a few tests that worked against virtual machines but did not
> work against real machines. I agree, in most cases, there really is no
> difference.
>
> I also have some routers in my lab. That way, I can set up egress
> filtering between the servers and the attackers in the lab. That will
> help you get some realism about some things, particularly local exploits
> of machines inside the network (like an Exchange client attack). I
> think that also increases your credibility when talking with
> clients...for example, "In the lab, we set up egress filtering...blah,
> blah, blah...and with the filtering enabled, the remote exploit of the
> Exchange client worked in that it crashed the client but it made it much
> more difficult to get to a command-prompt on that box." That's not
> really part of the pen-test itself but the real goal of the pen-test is
> to make the network more secure and it definitely goes toward explaining
> to the client how to make their network more secure.
>

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:02 EDT