Re: How do you test a firewall

[Bennett Todd <bet () mordor net>]

1998-07-08-11:45:57 Adam H. Pendleton:
> I haven't been following this thread very closely, but I find the statement
> that scanners won't work against firewall to be erroneous.  My company just
> finished putting out a scanner, based on SATAN, that works against
> firewalls.  Check out http://www.wwdsi.com/saint to look at it.  It's free,
> of course, otherwise I wouldn't post it here.

Thanks for the pointer. I'll certainly be happy to give it a close look, and
this looks like a welcome addition to the bag of tools.

But from a quick skim, it looks like a welcome and much-needed update of SATAN
--- which I surely appreciate. Nonetheless I don't think this contradicts my
actual statement. I didn't say that a scanner won't work against a firewall;
sure it will. It'll be able to tell someone who knows how to interpret the
result that it was just pointed at something more or less like a firewall.

However, it won't be able to tell whether the firewall is well configured or
not, what sort of policy the firewall is enforcing, and whether it's
susceptible to attack or evasion; to analyze that the best current state of
the art is to learn exactly how the firewall is designed and implemented, and
what security policy it's supposed to be enforcing, then review its
configuration, and finally do some spot-checks for popular configuration
problems. E.g. first thing I'd check for a traditional bastion host setup is
that it's enforcing the typical policy constraint that you can only get a
login to the bastion from the inside, not from the outside. That's an easy one
to miss. On the other hand, for a packet filter, the first thing I'd check is
whether you can use one of the fragment based attacks to analyze the network
behind the filter, since that's a popular omission in packet filters.

-Bennett