Re: How do you test a firewall (was Re: your mail -Reply)

["Perry E. Metzger" <perry () piermont com>]

How do you test a firewall?

I'm going to make a very controversial statement.

I test firewalls with my brain, mostly.

Scanners, etc., don't actually usually find the real problems, which
are almost never (in my experience) things that you can't see in about
thirty seconds if you know what you are doing. When I go into a
client, the first thing I do is ask to see the whole design, and then
I examine the machines carefully to make sure they are actually doing
what they are supposed to be doing. One "netstat -f inet -a" on a
bastion host beats a dozen scans and takes less time. I rarely have to
try to break into a machine, because it is usually much faster and
cheaper for the client for me to point out that the way the firewall
was designed has flaws.

"You are logging into the exterior router using cleartext passwords on
a network with the web server you think might be broken into? Doesn't
that mean someone can sniff the password for the router?" usually
beats running mindless tools that have no way of figuring out that
there are design flaws.

Looking for design flaws is usually very quick for me, which I suppose 
reduces my billable hours, but who cares.

It also usually points out that the local staff probably want to do a
bunch of tightening before I actually try anything with the hardware,
which also cuts back on my billable hours, but again, who cares.

As with cryptography, I prefer the idea of a design that cannot be
attacked even if I know how the entire thing works, a to z. When the
system is conceptually correct, and actually implemented as conceived, 
at that point it might be worth whipping out the scanner, just for
show, but at that point the problems are already gone.

Perry