Vulnerability Development mailing list archives

Re: firewall audit

From: dufresne () WINTERNET COM (Ron DuFresne)
Date: Thu, 4 May 2000 16:13:15 -0500


Course, these are realted only to a firewall audit, and a network security
audit takes much more into consideration.  Even a firewall audit should
consider things like trust relationships <i.e. which ns servers are
allowed for zone transfers, how the box deals with DMZ boxen and how it
might or might not trust internal database systems and such>.

Hope that helps,

Ron DuFresne

On Thu, 4 May 2000, Bennett Todd wrote:

2000-05-03-21:10:20 LEOW Chiun-Yi Jonathan:

anyone out there know of any comprehensive and detailed firewall audit
program/ checklist?


Nope. In general it's not possible.

I wrote an article on auditing firewalls; it's available at
<URL:http://www.itsecurity.com/papers/p5.htm>.

Here's the short version: a firewall is a device to enforce a
security policy. So to audit a firewall, you first need to audit the
security policy: review it and make sure it's a reasonable match for
the organization's needs. Once that's done you can audit the
firewall itself to make sure it implements the policy correctly. The
most reasonable way to do that is a close and detailed examination
of the firewall config (i.e. it'll vary depending on the kind of
firewall), together with a couple of spot-checks, where you try to
do something that should be forbidden and confirm that it's really
blocked.

You can do things like run port scanners against a firewall box, but
really all they can do is confirm that the firewall is in fact a
hardened host. So a scanner can tell you something useful if the
"firewall" you have is in fact nothing at all like a firewall, but
if it's anything anywhere close then the scanner will tell you
nothing useful.

-Bennett


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

Current thread:

Re: Blind Remote Buffer Overflow, (continued)
- - Re: Blind Remote Buffer Overflow Blue Boar (May 01)
    - Re: Blind Remote Buffer Overflow matej (May 01)
    - Re: Blind Remote Buffer Overflow Pavol Luptak (May 02)
    - Ascii-x86 was: Blind Remote Buffer Overflow Bluefish (May 03)
    - Re: Ascii-x86 was: Blind Remote Buffer Overflow Robert Collins (May 03)
    - Re: Ascii-x86 was: Blind Remote Buffer Overflow Bill Weiss (May 03)
    - firewall audit LEOW Chiun-Yi Jonathan (May 03)
    - Re: firewall audit Ron DuFresne (May 03)
    - Re: firewall audit antirez (May 04)
    - Re: firewall audit Bennett Todd (May 04)
    - Re: firewall audit Ron DuFresne (May 04)
    - ethernet cards & promisc mode Security Team (May 03)
    - Re: ethernet cards & promisc mode R (May 04)
    - Info on the VBS/LoveLetter virus Roelof Temmingh (May 04)
    - Re: ethernet cards & promisc mode Todd Garrison (May 04)
    - Re: ethernet cards & promisc mode RioTek (May 04)
    - ILOVEYOU worm Elias Levy (May 04)
    - don't open email w/ subject line "I love you." (Was: Re: I love you.) Ken Williams (May 04)
    - Re: IL0VEY0U worm Elias Levy (May 04)
    - I Love You.. Repair Program James Wilkins (May 04)
    - Re: IL0VEY0U worm Elias Levy (May 04)

(Thread continues...)