Firewall Wizards mailing list archives
RE: sanity rule checker for fw-1
From: Avishai Wool <avishai_w () yahoo com>
Date: Mon, 6 Aug 2001 14:01:41 -0700 (PDT)
Well, the Lumeta Firewall Analyzer (LFA) goes most of the distance for you. It takes your configuration (policy files + objects.C + routing table for Check Point FW-1; output of 'write term' for PIX) and does an offline analysis of what the packets the firewall will let through if they were to show up on one of it's interfaces. When I study an LFA report for a client firewall, the first things I look for are (1) which IP addresses can access the firewall and over which services (2) which services are allowed in from the Outside to any of the networks attached to an internal interface. if the firewall has, e.g., an "allow any service from anywhere to machine X" rule (I've seen more of these than I care to mention ...) the LFA report shows you that, e.g., netbios, x11, sunrpc, dns, etc., are all allowed into machine X. That usually raises a red flag for most people, even those that don't quite realize that "Any" really is "ANY service", not just the safe ones... More info: Main page: http://www.lumeta.com/firewall.html White paper: http://www.lumeta.com/pdffiles/LFAwhitepaper.pdf Avishai --- "Stiennon,Richard" <richard.stiennon () gartner com> wrote:
What a great idea. It could prioritize each rule and highlight its potential vulnerability. Firewall misconfiguration is a big problem in organizations that have 50 plus rules. It would be great to have a daily report that pointed out things like two way rules where one way suffices, or a temporary telnet rule that was meant to be shut off after the remote admin was done. Don't know of any such tool :-( -Stiennon -----Original Message----- From: dirtbag [mailto:dirtbag () anywhereusa com] Sent: Thursday, August 02, 2001 3:56 PM To: firewall-wizards () nfr com Subject: [fw-wiz] sanity rule checker for fw-1 first thanks this list is great. I am looking for sanity checker for a checkpoint rule base. ie. flag a rule that is created as a two way rule where one way is only required for known services http,ldap etc..... thanks again
===== Avishai Wool, Ph.D., Chief Scientist & Co-Founder, Lumeta Corp. 220 Davidson Ave, 4th Floor, Somerset, NJ 08873, USA Email: yash () acm org Web: http://research.lumeta.com/yash/ Phone: (732) 357-3511 Cell: (973) 420-5919 Fax: (732) 564-0731 ** Want to audit or debug your firewall's policy? ** Lumeta Firewall Analyzer: http://www.lumeta.com/firewall.html __________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- sanity rule checker for fw-1 dirtbag (Aug 04)
- Re: sanity rule checker for fw-1 Gregory Austin (Aug 06)
- <Possible follow-ups>
- RE: sanity rule checker for fw-1 Stiennon,Richard (Aug 05)
- RE: sanity rule checker for fw-1 Avishai Wool (Aug 07)