Re: How do you test a firewall (was Re: your mail -Reply)

["Adam H. Pendleton" <pendleta () wwdsi com>]

I haven't been following this thread very closely, but I find the statement
that scanners won't work against firewall to be erroneous.  My company just
finished putting out a scanner, based on SATAN, that works against
firewalls.  Check out http://www.wwdsi.com/saint to look at it.  It's free,
of course, otherwise I wouldn't post it here.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Adam H. Pendleton
Corporate Security Officer
World Wide Digital Security, Inc. <http://www.wwdsi.com>
Reston, Virginia
USA
-----Original Message-----
From: Bennett Todd <bet () mordor net>
To: Laris Benkis <lbenkis () bank-banque-canada ca>
Cc: firewall-wizards () nfr net <firewall-wizards () nfr net>
Date: Wednesday, July 08, 1998 11:42 AM
Subject: How do you test a firewall (was Re: your mail -Reply)


> 1998-07-02-11:02:47 Laris Benkis:
> > So,... don't keep us all in suspense.  While I find interesting your
> > assertion, and the reasoning behind it, that scanners are the wrong tool
> > to test firewalls, I am more interested in what the right tools are.  Who
> > makes these tools and what do they test?  If they don't exist currently,
> > and have to be home-grown, what specific tests should they perform?
>
> Right now, there's really no such tool. Available scanners can look at only
> the most superficial part of the question, at the level of ``well, yes,
that
> looks more like a firewall than e.g. a typical unsecured desktop system of
c.
> 1985''.
>
> Part of the problem is that ``what is a firewall'' is a question whose
answer
> is changing rapidly over time. Right now I'd say ``a firewall is a
combination
> of security components configured to enforce a security policy'', which is
way
> too loose to be useful for anything. In some settings a Cisco 2501 with
some
> simple screening rules is all the firewall you need. In other settings you
> need the best security you can buy, so you might have a Cisco PIX for the
> external screening router, backed up by an application gateway firewall
built
> using OpenBSD+IP-Filter+fwtk+qmail, with separate interfaces for each DMZ
> host, each of which is another OpenBSD+IP-Filter bastion.
>
> All you can do to evaluate a given firewall is to start with the security
> policy you want to enforce, then examine the architecture and configuration
of
> the firewall to confirm that it should be able to enforce the policy, then
try
> to think about possible implementation and configuration bugs and devise
some
> probes to give yourself confidence that they're missing. There are
companies
> out there that sell this service. They routinely charge a load of money for
> the service --- it's an in-depth security audit that starts with a review
of
> the security policy, and hence re-checks that against the organization's
> needs, and then goes through an implementation audit. With good preparation
a
> team of a half-dozen experts might be able to do this in a month, for a
small
> firm with simple requirements.
>
> -Bennett