Firewall Wizards mailing list archives

RE: sanity rule checker for fw-1

From: Avishai Wool <avishai_w () yahoo com>
Date: Mon, 6 Aug 2001 14:01:41 -0700 (PDT)

Well, the Lumeta Firewall Analyzer (LFA) goes most of the distance
for you. It takes your configuration (policy files + objects.C +
routing table for Check Point FW-1; output of 'write term' for PIX) 
and does an offline analysis
of what the packets the firewall will let through if they were
to show up on one of it's interfaces. 

When I study an LFA report for a client firewall,
the first things I look for are
 (1) which IP addresses can access the firewall and over which services
 (2) which services are allowed in from the Outside to any of the networks
  attached to an internal interface.

if the firewall has, e.g., an "allow any service from anywhere to machine X"
rule (I've seen more of these than I care to mention ...) the LFA report
shows you that, e.g., netbios, x11, sunrpc, dns, etc., are all allowed 
into machine X. That usually raises a red flag for most people, even those
that don't quite realize that "Any" really is "ANY service", not just the 
safe ones...

More info:
 Main page:     http://www.lumeta.com/firewall.html
 White paper:   http://www.lumeta.com/pdffiles/LFAwhitepaper.pdf

Avishai

--- "Stiennon,Richard" <richard.stiennon () gartner com> wrote:

What a great idea. It could prioritize each rule and highlight its potential
vulnerability. Firewall misconfiguration is a big problem in organizations
that have 50 plus rules. It would be great to have a daily report that
pointed out things like two way rules where one way suffices, or a temporary
telnet rule that was meant to be shut off after the remote admin was done. 

Don't know of any such tool :-(

-Stiennon

-----Original Message-----
From: dirtbag [mailto:dirtbag () anywhereusa com]
Sent: Thursday, August 02, 2001 3:56 PM
To: firewall-wizards () nfr com
Subject: [fw-wiz] sanity rule checker for fw-1


first thanks this list is great.

I am looking for sanity checker for a checkpoint rule base. ie. flag a rule
that
is created as a two way rule where one way is only required  for known
services http,ldap etc.....

thanks again



=====
Avishai Wool, Ph.D.,  Chief Scientist & Co-Founder, Lumeta Corp.
220 Davidson Ave, 4th Floor, Somerset, NJ 08873, USA
Email: yash () acm org        Web: http://research.lumeta.com/yash/
Phone: (732) 357-3511  Cell: (973) 420-5919  Fax: (732) 564-0731
    ** Want to audit or debug your firewall's policy? **
Lumeta Firewall Analyzer: http://www.lumeta.com/firewall.html

__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

sanity rule checker for fw-1 dirtbag (Aug 04)
- Re: sanity rule checker for fw-1 Gregory Austin (Aug 06)
- <Possible follow-ups>
- RE: sanity rule checker for fw-1 Stiennon,Richard (Aug 05)
  - RE: sanity rule checker for fw-1 Avishai Wool (Aug 07)