PaulDotCom mailing list archives

Firewall Audit

From: chris.bentley at sky.com (Chris Bentley)
Date: Wed, 10 Jun 2009 14:48:49 +0100

Thanks for all the suggestion guys,

2009/6/10 Albert R. Campa <abcampa at gmail.com>

As far as rules, back in the day we used to have a script that would tell
us what hosts/ACLs in the firewalls havent been used for last 30/60 or 90
days, then you could proceed to remove them.

Some firewall admins add rules in firewalls because customers request them,
but the customers dont really know what they need, like when they say they
need bidirectional rules, when they might not.

Also this script would find out what rules get hit most and those rules
could be moved up to the top of the list, to help performance.


- deny-all

__________________________________
Albert R. Campa


On Wed, Jun 10, 2009 at 7:21 AM, Paul Asadoorian <paul at pauldotcom.com>wrote:

Chris Bentley wrote:


Paul/Ron any idea what type of scans I could run using nmap or nessus.
Also this would make a good technical segment for the show.


Great question!  See below for answers that are just off the top of my
head:

1) nmap -sT -n -T4 -p1-65535 <targets behind the firewall>

That will take some time, but the connect() scan works better for
firewalls and causes them not to crash/fill up state table.  Always scan
all ports, and you can also mess around with different source ports too.

2) nmap -sU -n -T4 -p1-65535 <targets behind the firewall>

Don't forget UDP!

3) Nessus is a vulnerability scanner, but does contain a really sweet
TCP and UDP port scanner.  I'd recommend running it against all ports
using select plugin families.  This way you can also find any
vulnerabilities in your firewall (making certain that the actual IP
address of your firewall is included in the targets) and the systems
behind it.  Also, there are several plugins that test "firewall stuff",
515 to be exact:

# find . -name '*.nasl' -print0 | xargs -0 grep -i firewall | wc -l
    515

:)

Cheers,
Paul


--
 Paul Asadoorian
PaulDotCom Enterprises
Web: http://pauldotcom.com
Phone: 401.829.9552
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com



_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090610/12d6c57f/attachment.htm

Current thread:

Firewall Audit Chris (Jun 09)
- Firewall Audit Jack Daniel (Jun 09)
  - Firewall Audit Chris Bentley (Jun 10)
  - Firewall Audit Florian Sicking (Jun 10)
- Firewall Audit Ron Gula (Jun 10)
  - Firewall Audit Tim Mugherini (Jun 10)
  - Firewall Audit Paul Asadoorian (Jun 10)
    - Firewall Audit Chris Bentley (Jun 10)
    - Firewall Audit Paul Asadoorian (Jun 10)
    - Firewall Audit Albert R. Campa (Jun 10)
    - Firewall Audit Chris Bentley (Jun 10)
    - Firewall Audit Mike Patterson (Jun 10)
    - Firewall Audit Ron Gula (Jun 10)
- <Possible follow-ups>
- Firewall Audit Patrick Yager (Jun 10)