Firewall Wizards mailing list archives
Firewall rulebase analysis and regression testing
From: Rob Quinn <rquinn () sprint net>
Date: Fri, 19 Dec 1997 13:17:02 -0500
I'm interested in doing a number of things on our Raptor firewalls, and I'm wondering what the state of the art is for other firewalls and what code might already exist, especially for Checkpoint, PIX and Gauntlet (of which I have no experience right now). This isn't very organized, but I'll just spill it out. Most of it has to do with analyzing firewalls where the rule base has grown too large to understand with a simple glance over. Not my favorite situation, but one that seems to come up too often. First, I'm looking for a way to submit an artificial query to the firewall engine. "Can I get from `A' to `B' using protocol `C', and maybe with userid `D'?" Or, "given host `A', what can I do?" Or "tell me all about `telnet'"? On top of this, I want to write (use) some regression testing tools. For instance a simple matrix of critical services that must never be interrupted, and some dangerous situations that must never be permitted. For instance SRC DST PROTO ALLOW/DENY ---------------------------------- hosta 0.0.0.0 telnet ALLOW 0.0.0.0 hosta telnet DENY Then after every rule change I want to be sure that my matrix still checks out. The matrix is my site policy or similar. And of course I'd like this to chain. If I say ``hosta->hostb telnet never'' I'd like to know if ``hosta->middlehost->hostb telnet'' is hidden in my rules somewhere. Remember the ``kang'' program from Cops? This is begging for some prolog programming. Second, I want to fight redundancy of rules. If I add a subnet rule ``10.0.0.0/8->Universe allow telnet'' I'd like to know that three host based telnet rules for machines in 10.0.0.0/8 can now be deleted. Third, I want to to find useless info in my database. If I delete all rules and groups and tunnels and filters that refer to ``hosta'' I'd like a reminder so I can delete the entity hosta. Ditto for dangling proxies. Fourth (I'm dreaming here) I'd like some cross analysis between my firewalls. What I already have is a horrible little program that queries the Raptor engine to ask questions of the form ``src dst proto''. I'm not happy with how it handles userids. It also generates fake log entries, which are useful since they reference the rule number, but which might set off some alarms. #fwquery -v -S hosta -D hostb -p ftp -I fwquery: 1.3 Interfaces: 127.0.0.1,XXX.X.XXX.2,YYY.Y.YYY.1,ZZZ.Z.ZZZ.1 Src name: hosta Src ip: ZZZ.Z.ZZZ.36 Dst name: hostb Dst ip: WWW.WWW.W.5 Protocol: ftp YES on interface ZZZ.Z.ZZZ.1 YES on interface YYY.Y.YYY.1 YES on interface XXX.X.XXX.2 YES on interface 127.0.0.1 #fwquery -v -D hosta -S hostb -p ftp -I fwquery: 1.3 Interfaces: 127.0.0.1,XXX.X.XXX.2,YYY.Y.YYY.1,ZZZ.Z.ZZZ.1 Src name: hostb Src ip: WWW.WWW.W.5 Dst name: hosta Dst ip: ZZZ.Z.ZZZ.33 Protocol: ftp Requires userid...NO on interface ZZZ.Z.ZZZ.1 Requires userid...NO on interface YYY.Y.YYY.1 Requires userid...NO on interface XXX.X.XXX.2 Requires userid...NO on interface 127.0.0.1 Well, I'm out of time for this email... -- | Opinions are _mine_, facts Rob Quinn | | are facts. (703)689-6582 | | rquinn () sprint net | | Sprint Corporate Security |
Current thread:
- Re: Next Generation Firewall James Slupsky (Dec 03)
- Re: Next Generation Firewall Ted Doty (Dec 03)
- Firewall rulebase analysis and regression testing Rob Quinn (Dec 19)