Firewall Wizards mailing list archives
Re: How do you test a firewall (was Re: your mail -Reply)
From: "Perry E. Metzger" <perry () piermont com>
Date: Wed, 08 Jul 1998 10:17:41 -0400
How do you test a firewall? I'm going to make a very controversial statement. I test firewalls with my brain, mostly. Scanners, etc., don't actually usually find the real problems, which are almost never (in my experience) things that you can't see in about thirty seconds if you know what you are doing. When I go into a client, the first thing I do is ask to see the whole design, and then I examine the machines carefully to make sure they are actually doing what they are supposed to be doing. One "netstat -f inet -a" on a bastion host beats a dozen scans and takes less time. I rarely have to try to break into a machine, because it is usually much faster and cheaper for the client for me to point out that the way the firewall was designed has flaws. "You are logging into the exterior router using cleartext passwords on a network with the web server you think might be broken into? Doesn't that mean someone can sniff the password for the router?" usually beats running mindless tools that have no way of figuring out that there are design flaws. Looking for design flaws is usually very quick for me, which I suppose reduces my billable hours, but who cares. It also usually points out that the local staff probably want to do a bunch of tightening before I actually try anything with the hardware, which also cuts back on my billable hours, but again, who cares. As with cryptography, I prefer the idea of a design that cannot be attacked even if I know how the entire thing works, a to z. When the system is conceptually correct, and actually implemented as conceived, at that point it might be worth whipping out the scanner, just for show, but at that point the problems are already gone. Perry
Current thread:
- Re: your mail -Reply Laris Benkis (Jul 02)
- Re: your mail -Reply tqbf (Jul 07)
- How do you test a firewall (was Re: your mail -Reply) Bennett Todd (Jul 07)
- Re: How do you test a firewall (was Re: your mail -Reply) Perry E. Metzger (Jul 08)