A good place to start would be to examine the security modelling documentation for the device. There should be a statement of security objectives included as part of the engineering documentation. A security policy defined, based on the security objectives, outlining the proposed security features/services to be implemented will provide the details of the product's security behaviours that were to be implemented. This should be followed up with design specifications for each of the identified security mechanisms that comprise the totality of the security features/services required to realize the product's written security policy, along with a correspondence or mapping to the policy features/services, since there will likely be necessary sharing of many of the lower level security mechanisms functionality for code reduction and other practical considerations. Once you have a complete understanding of the product's security design, you will be in a good position to 'review' the product's security, or will have done so, more or less. You should also be able to locate the product's security features test planning documents and detailed testing results which validate the security design to a certain degree. Now, as an added bonus, you are is a perfect position to perform some of your own tests, for things like undocumented features, behaviours etc. that could compromise the security policy, unless of course this had been done thoroughly during product testing already. I'm sure I have left out a few other things that could be examined, or done, as part of this particular review exercise, since they are typically very context dependent, but not nearly as much as the dependency that the documentation actually exists, or that the product was designed with any adherence to standard security engineering principles. Good luck, mgr Mike Ruscher, ITS Specialist I2, CSE/CST mgruscher@cse-cst.gc.ca Phone: +1 613 991-8040 ED/C200 http://www.cse-cst.gc.ca > -----Original Message----- > From: Thad Horak [mailto:thadhorakat_private] > Sent: Friday, June 29, 2001 11:45 AM > To: pen-testat_private > Subject: Nortel Security > > > I've been asked to review the security of our Nor-tel > Meridian PBX. I've searched Google & Yahoo and can't > find to much to aid me in this. Can anyone point me to > some good information on key things to audit/test? > Thanks in advance. > > Thad > > __________________________________________________ > Do You Yahoo!? > Get personalized email addresses from Yahoo! Mail > http://personal.mail.yahoo.com/ > > -------------------------------------------------------------- > ------------------------ > > This list is provided by the SecurityFocus Security > Intelligence Alert (SIA) Service > For more information on SecurityFocus' SIA service which > automatically alerts you to > the latest security vulnerabilities please see: > https://alerts.securityfocus.com/ -------------------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Sun Jul 01 2001 - 10:44:44 PDT