I would ask for external and internal pentest.....remember a hacker won't ask you to disable you're protections.
And you are looking to measure your security.
Enjoy
Jose
Este mensaje puede contener información privilegiada y confidencial. Dicha información es exclusiva para el individuo o entidad al cual es enviada. Si el lector de este mensaje no es el destinatario del mismo, queda formalmente notificado que cualquier divulgación, distribución, reproducción o copiado de esta comunicación está estrictamente prohibido. Si este es el caso, favor eliminar el mensaje de su computadora e informar al emisor a través de un mensaje de respuesta. Las opiniones expresadas en este mensaje son propias del autor y no necesariamente coinciden con las de ALAVER
Gracias.
ALAVER
This message may contain information that is privileged and confidential. It is intended only for the use of the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, reproduction or copying of this communication is strictly prohibited. If this is the case, please proceed to destroy the message from your computer and inform the sender through reply mail. Information in this message that does not directly relate to the official business of the company shall be understood as neither given nor endorsed by it.
Thank you.
ALAVER
----- Original Message -----
From: haZard0us [mailto:hazard0us.pt (at) gmail (dot) com [email concealed]]
Sent: Monday, August 06, 2012 10:25 AM
To: Kid Tangerine <kidtangerine (at) gmail (dot) com [email concealed]>
Cc: security-basics (at) securityfocus (dot) com [email concealed] <security-basics (at) securityfocus (dot) com [email concealed]>
Subject: Re: Disabling IPS for PENTEST
I don't have any experience, but I think that disabling the IDS/allowing their IP is wrong.
The main purpose of a pen test is to assess the vulnerabilities on your system. An attacker has to deal with the IDS. If you disable for them, just makes their job easier.
If I were the one to decide, I would say no.
But, once again, I got no experience.
A 06/08/2012, às 14:57, Kid Tangerine escreveu:
> All,
>
> Corporate has requested we get a PENTEST for our Internet facing
> website from a third party, but the third party asked us to allow
> their ip address to be excluded from our IPS.
>
> Is that a common practice to basically turn off our protection and
> allow them in?
>
> Obviously we aren't developers, so If the code has sql injections,
> cross site scripting, etc vulnerabilities we cannot fix it within the
> corporate guidelines, and our only leverage from the IT infrastructure
> side is to include the needed filters in the IPS to prevent their
> crappy code from being exploited. It we turn off the IPS I am sure all
> kinds of things will show up.
>
> Any experience appreciated.
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
> ------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
I agree with haZard0us.
I would ask for external and internal pentest.....remember a hacker won't ask you to disable you're protections.
And you are looking to measure your security.
Enjoy
Jose
Este mensaje puede contener información privilegiada y confidencial. Dicha información es exclusiva para el individuo o entidad al cual es enviada. Si el lector de este mensaje no es el destinatario del mismo, queda formalmente notificado que cualquier divulgación, distribución, reproducción o copiado de esta comunicación está estrictamente prohibido. Si este es el caso, favor eliminar el mensaje de su computadora e informar al emisor a través de un mensaje de respuesta. Las opiniones expresadas en este mensaje son propias del autor y no necesariamente coinciden con las de ALAVER
Gracias.
ALAVER
This message may contain information that is privileged and confidential. It is intended only for the use of the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, reproduction or copying of this communication is strictly prohibited. If this is the case, please proceed to destroy the message from your computer and inform the sender through reply mail. Information in this message that does not directly relate to the official business of the company shall be understood as neither given nor endorsed by it.
Thank you.
ALAVER
----- Original Message -----
From: haZard0us [mailto:hazard0us.pt (at) gmail (dot) com [email concealed]]
Sent: Monday, August 06, 2012 10:25 AM
To: Kid Tangerine <kidtangerine (at) gmail (dot) com [email concealed]>
Cc: security-basics (at) securityfocus (dot) com [email concealed] <security-basics (at) securityfocus (dot) com [email concealed]>
Subject: Re: Disabling IPS for PENTEST
I don't have any experience, but I think that disabling the IDS/allowing their IP is wrong.
The main purpose of a pen test is to assess the vulnerabilities on your system. An attacker has to deal with the IDS. If you disable for them, just makes their job easier.
If I were the one to decide, I would say no.
But, once again, I got no experience.
A 06/08/2012, às 14:57, Kid Tangerine escreveu:
> All,
>
> Corporate has requested we get a PENTEST for our Internet facing
> website from a third party, but the third party asked us to allow
> their ip address to be excluded from our IPS.
>
> Is that a common practice to basically turn off our protection and
> allow them in?
>
> Obviously we aren't developers, so If the code has sql injections,
> cross site scripting, etc vulnerabilities we cannot fix it within the
> corporate guidelines, and our only leverage from the IT infrastructure
> side is to include the needed filters in the IPS to prevent their
> crappy code from being exploited. It we turn off the IPS I am sure all
> kinds of things will show up.
>
> Any experience appreciated.
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
> ------------------------------------------------------------------------
>
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------
[ reply ]