Vulnerability Development mailing list archives
Re: firewall audit
From: dufresne () WINTERNET COM (Ron DuFresne)
Date: Thu, 4 May 2000 16:13:15 -0500
Course, these are realted only to a firewall audit, and a network security audit takes much more into consideration. Even a firewall audit should consider things like trust relationships <i.e. which ns servers are allowed for zone transfers, how the box deals with DMZ boxen and how it might or might not trust internal database systems and such>. Hope that helps, Ron DuFresne On Thu, 4 May 2000, Bennett Todd wrote:
2000-05-03-21:10:20 LEOW Chiun-Yi Jonathan:anyone out there know of any comprehensive and detailed firewall audit program/ checklist?Nope. In general it's not possible. I wrote an article on auditing firewalls; it's available at <URL:http://www.itsecurity.com/papers/p5.htm>. Here's the short version: a firewall is a device to enforce a security policy. So to audit a firewall, you first need to audit the security policy: review it and make sure it's a reasonable match for the organization's needs. Once that's done you can audit the firewall itself to make sure it implements the policy correctly. The most reasonable way to do that is a close and detailed examination of the firewall config (i.e. it'll vary depending on the kind of firewall), together with a couple of spot-checks, where you try to do something that should be forbidden and confirm that it's really blocked. You can do things like run port scanners against a firewall box, but really all they can do is confirm that the firewall is in fact a hardened host. So a scanner can tell you something useful if the "firewall" you have is in fact nothing at all like a firewall, but if it's anything anywhere close then the scanner will tell you nothing useful. -Bennett
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything.
Current thread:
- Re: Blind Remote Buffer Overflow, (continued)
- Re: Blind Remote Buffer Overflow Blue Boar (May 01)
- Re: Blind Remote Buffer Overflow matej (May 01)
- Re: Blind Remote Buffer Overflow Pavol Luptak (May 02)
- Ascii-x86 was: Blind Remote Buffer Overflow Bluefish (May 03)
- Re: Ascii-x86 was: Blind Remote Buffer Overflow Robert Collins (May 03)
- Re: Ascii-x86 was: Blind Remote Buffer Overflow Bill Weiss (May 03)
- firewall audit LEOW Chiun-Yi Jonathan (May 03)
- Re: firewall audit Ron DuFresne (May 03)
- Re: firewall audit antirez (May 04)
- Re: firewall audit Bennett Todd (May 04)
- Re: firewall audit Ron DuFresne (May 04)
- Re: Blind Remote Buffer Overflow Blue Boar (May 01)
- ethernet cards & promisc mode Security Team (May 03)
- Re: ethernet cards & promisc mode R (May 04)
- Info on the VBS/LoveLetter virus Roelof Temmingh (May 04)
- Re: ethernet cards & promisc mode Todd Garrison (May 04)
- Re: ethernet cards & promisc mode RioTek (May 04)
- ILOVEYOU worm Elias Levy (May 04)
- don't open email w/ subject line "I love you." (Was: Re: I love you.) Ken Williams (May 04)
- Re: IL0VEY0U worm Elias Levy (May 04)
- I Love You.. Repair Program James Wilkins (May 04)
- Re: IL0VEY0U worm Elias Levy (May 04)