Firewall rulebase analysis and regression testing

[Rob Quinn <rquinn () sprint net>]

 I'm interested in doing a number of things on our Raptor firewalls, and I'm
wondering what the state of the art is for other firewalls and what code
might already exist, especially for Checkpoint, PIX and Gauntlet (of which I
have no experience right now). This isn't very organized, but I'll just spill
it out. Most of it has to do with analyzing firewalls where the rule base has
grown too large to understand with a simple glance over. Not my favorite
situation, but one that seems to come up too often.

 First, I'm looking for a way to submit an artificial query to the firewall
engine. "Can I get from `A' to `B' using protocol `C', and maybe with userid
`D'?" Or, "given host `A', what can I do?" Or "tell me all about `telnet'"?

 On top of this, I want to write (use) some regression testing tools. For
instance a simple matrix of critical services that must never be interrupted,
and some dangerous situations that must never be permitted. For instance
  SRC     DST     PROTO   ALLOW/DENY
  ----------------------------------
  hosta   0.0.0.0 telnet  ALLOW
  0.0.0.0 hosta   telnet  DENY 

 Then after every rule change I want to be sure that my matrix still checks out.
The matrix is my site policy or similar.
 And of course I'd like this to chain. If I say ``hosta->hostb telnet never''
I'd like to know if ``hosta->middlehost->hostb telnet'' is hidden in my rules
somewhere. Remember the ``kang'' program from Cops? This is begging for some
prolog programming.


 Second, I want to fight redundancy of rules. If I add a subnet rule
``10.0.0.0/8->Universe allow telnet'' I'd like to know that three host
based telnet rules for machines in 10.0.0.0/8 can now be deleted.

 Third, I want to to find useless info in my database. If I delete all rules
and groups and tunnels and filters that refer to ``hosta'' I'd like a reminder
so I can delete the entity hosta. Ditto for dangling proxies.

 Fourth (I'm dreaming here) I'd like some cross analysis between my firewalls.



 What I already have is a horrible little program that queries the Raptor
engine to ask questions of the form ``src dst proto''. I'm not happy with
how it handles userids. It also generates fake log entries, which are useful
since they reference the rule number, but which might set off some alarms.


#fwquery -v -S hosta -D hostb -p ftp -I
 
fwquery: 1.3 
Interfaces: 127.0.0.1,XXX.X.XXX.2,YYY.Y.YYY.1,ZZZ.Z.ZZZ.1
Src name: hosta
Src ip: ZZZ.Z.ZZZ.36
Dst name: hostb
Dst ip: WWW.WWW.W.5
Protocol: ftp
 
YES on interface ZZZ.Z.ZZZ.1
YES on interface YYY.Y.YYY.1
YES on interface XXX.X.XXX.2
YES on interface 127.0.0.1

#fwquery -v -D hosta -S hostb -p ftp -I 
 
fwquery: 1.3 
Interfaces: 127.0.0.1,XXX.X.XXX.2,YYY.Y.YYY.1,ZZZ.Z.ZZZ.1
Src name: hostb
Src ip: WWW.WWW.W.5
Dst name: hosta
Dst ip: ZZZ.Z.ZZZ.33
Protocol: ftp
 
Requires userid...NO on interface ZZZ.Z.ZZZ.1
Requires userid...NO on interface YYY.Y.YYY.1
Requires userid...NO on interface XXX.X.XXX.2
Requires userid...NO on interface 127.0.0.1


 Well, I'm out of time for this email...

-- 
| Opinions are _mine_, facts                                     Rob Quinn |
| are facts.                                                 (703)689-6582 |
|                                                        rquinn () sprint net |
|                                                Sprint Corporate Security |