Firewall Wizards mailing list archives
Re: How automate firewall tests
From: Strabla Ruggero <rstrabla () crema unimi it>
Date: Fri, 18 Aug 2006 21:43:52 +0200
Hello, thanks for all the answers! On Thu, 17 Aug 2006 13:33:58 -0400 "Marcus J. Ranum" <mjr () ranum com> wrote:
You've chosen a fairly interesting problem. What do you intend to measure about a firewall?
I'd like to test security instead of perfomance. In my study performance could be important to test if they can generate a security problem. For example, if a packet filter or an application proxy under heavy traffic don't filter correctly as they do in normal situation, I'd like to see that. Many days ago I read the firewall whitepaper of ICSA labs (http://www.icsalabs.com/icsa/docs/html/communities/firewalls/pdf/fwwhitepaper.pdf) and I saw at page 6 that the main problems about firewalls (or packets filter) was related at reply attacks, tcp pre-session packets, fragmentation and so on... I had in mind these types of tests in my first email.
There's a paper or two that might help you. One (search for "Ranum Kostic Molitor") is quite ancient, but the problem remains the same. Email me privately if you want a copy; I can see if I can find it.
Oh thank you. I'll read it if you can find a copy because on google I don't find nothing :-(
Another is a paper I did back in the NFR days on how to cheat on IDS benchmarks. It's highly relevant. http://www.mail-archive.com/firewalls () lists gnac net/msg22759.html
I read this message. Well, my idea is a bit more modest than that, but anyway I'm confused about how organize all the "penetration tests" in a pseudo automatic and logical way. Until yesterday I thought that it would be enough design a tool for doing synscan, ackscan, fragmentation stuff ecc... today I'm not so sure..
is a repeat thread of this topic from 2002. See also: http://www.snort.org/docs/Benchmarking-IDS-NFR.pdf
I'm not interested in IDS at the moment but I read with pleasure that paper. It shows how will be hard for me design something useful and not a toy. On Fri, 18 Aug 2006 09:30:07 -0400 "Marcus J. Ranum" <mjr () ranum com> wrote:
Durga Prasad wrote:There are couple of tools which test if a firewalling is leaking any packets.People still rely on packet-based firewalls??!!! You're joking, right? It's 2006!
Mmmm, maybe I wrong, but I read in one of my book called "Inside Network Perimeter Security" the importance of defense in depth. It seems that a packet-based firewall is anyway useful in many situations, or not? On Fri, 18 Aug 2006 10:17:13 +0200 Jean-Denis Gorin <jdgorin () computer org> wrote:
What I would like, is a tool able to answer 2 questions: 1/ what is the security level of my firewal platform (OS security, patches up to date, is the firewall protect itself well, ...)? 2/ is the configuration of that firewall compliant with my security policy?
Ok, learned.
The second point requires a tool able to *understand* a security policy. And that requires a tool able to *model* a security policy.
I think this would be great but a bit far from my possibility.
Then, you have to code a security policy checker. And analyzing the firewall configuration files is *not* the right way: you have to find an external way to check that to be sure that the firewall implementation of the security policy is right. That means accepting the authorized data flows, *and* reject all others kind. The difficult part is to check 'all others kind of data flows', including tunneling, covert channel, ...
Considering netfilter as example about this, do you mean something like a software that parse the output of the iptables-save command and than automatically generate, first, all the traffic allowed, then all other tcp/ip traffic to see if something can bypass the firewall? You right it's a big problem, I'll see.. Thanks to all, thanks for the "good luck", I really need it :-) Strabla Ruggero _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: How automate firewall tests, (continued)
- Message not available
- Re: How automate firewall tests Marcus J. Ranum (Aug 22)
- Re: How automate firewall tests Keith A. Glass (Aug 20)
- Re: How automate firewall tests R. DuFresne (Aug 23)
- Re: How automate firewall tests Jim Seymour (Aug 23)
- Re: How automate firewall tests haim [howard] roman (Aug 23)
- Re: How automate firewall tests sai (Aug 20)
- Re: How automate firewall tests Dave Piscitello (Aug 30)
- Re: How automate firewall tests Marcus J. Ranum (Aug 20)
- Re: How automate firewall tests StefanDorn (Aug 20)
- Re: How automate firewall tests Patrick M. Hausen (Aug 21)
- Re: How automate firewall tests Paul D. Robertson (Aug 21)
- Re: How automate firewall tests Patrick M. Hausen (Aug 21)
- Re: How automate firewall tests Paul D. Robertson (Aug 21)
- Re: How automate firewall tests Patrick M. Hausen (Aug 21)
- Re: How automate firewall tests Paul D. Robertson (Aug 21)