Re: IPTables Based Firewall Testing

[Christos Gioran <himicos () freemail gr>]

On Tuesday 16 December 2003 18:02, Gareth Darby wrote:
> I was wondering what kind of processes would be involved in testing a
> firewall built around IPtables.  How could you ensure that the rules are
> sufficient?

If it is buld correctly, then you have won more than half the battle. By
correctly I mean the ever-faithful "what is not explicitly premitted is
denied" rule. Define your needs in great detail and then all will become
clear. Simple rules and clean, cut-out logic ensure a pretty safe firewall.

> Is a simple port scan enough?

Short answer: No. (Longer follows)

A simple external portscan will not do. It will simply confirm which ports
 are open and which are not, with regard to the IP from which you perform the
 scan. Say you scan your network from the external host notfriendly.com and
 happily see only port 80 of your web server to accept SYN packets. That does
 not ensure that port 25 does not allow packets from the external host
 icomeinpeace.net. Does "Idle scan" ring any bells? (man nmap if not).
 Moreover there is the problem of outbound connections. An external portscan
 will not reveal which hosts are allowed to make connections, i.e. act as
 servers. Maybe that is acceptable for your www server, but a trojaned
 machine that calls home (taking advantage of misconfigured firewalls) is
 probably not a good thing to have in your network.
BTW, i assume "simple" does not imply connect()! A modest porrtscan should
involve an extended range of ports, at least SYN scans, ping sweeps (although
not portscans, they traditionally are mentioned in portscanning) and
hopefully ACK scans and other customised packets.

My advice (and practice)? Review your firewall rules carefully and make sure
that ANYTHING unnecessary is dropped (or tarpitted, what best suites you).
Take care to add non needed outbound connections to the "unnecessary" list.
Obviously, SYN packets coming from servers are a sign of evil, so dropping
and logging them is also a Very Good Idea (tm).
Then portscan extensivelly, from any location you can, inside and out. By
 that time, you can be somewhat confident that your firewall is modestly
 tight.

Just my $(no_value_worth_mentioning)

himicos


---------------------------------------------------------------------------
----------------------------------------------------------------------------