Firewall Wizards mailing list archives

Re: Third Party Audit of a Firewall

From: C Matthew Curtin <cmcurtin () interhack net>
Date: Thu, 29 Jan 1998 11:41:27 -0500 (EST)

"Michelle" == Michelle  <michelle () inf net au> writes:


Michelle> I am interested in what sort of tests should be run

Of course, the appropriate documentation for the firewall should
already be drafted.  This should include all of the things you need to 
know about the systems, including OS, versions, patches, any
applications, services, etc.  You'll need to know what services you're 
exposing to the inside world, and to the outside world, and to what
degree each is being exposed.

I'm not sure I'd show this documentation to the auditors.

The audit then becomes a straightforward matter, no different from any
other.  Inventory what services are running on the host, try to figure
out its OS type, probe it to see what services it offers, poke at them
looking for misconfigurations, watch version numbers, etc.  Find out
what other hosts are on the network, probe them as well, looking for
any vulnerabilities.  (While your bastion host might be nice and
locked down, it's not much good if you've got a weak web server on the 
same LAN, and there's any sort of trust relationship between the two,
or you're doing cleartext things to your bastion host across that
network.) 

Be sure to get routers and all that rot included in there as well.

Do the same from the inside.

Then do a COPS-style audit of the system from the inside-out, looking
for misconfigurations, stupid permissions problems, etc.

Compile the data for a complete view of the world, from the inside
network, from the outside network, and from the host itself.  Compare
that compiled report to the documentation that the auditors haven't
seen up to this point.

The two reports should be as close to identical as possible.

Of course, this doesn't do anything to determine whether your policy
is lacking, but at least it will give you an idea of how well your
policy was implemented (or how good your auditors are ;-) ...

-- 
Matt Curtin cmcurtin () interhack net http://www.interhack.net/people/cmcurtin/

Current thread:

Third Party Audit of a Firewall Michelle (Jan 22)
- Re: Third Party Audit of a Firewall C Matthew Curtin (Jan 31)
  - Re: Third Party Audit of a Firewall Chad Schieken (Jan 31)
    - Re: Third Party Audit of a Firewall Marcus J. Ranum (Jan 31)