Penetration Testing mailing list archives

Re: Firewall Load Testing

From: Gene <gyoo () attbi com>
Date: Tue, 10 Dec 2002 12:45:20 -0800

trying running ntop or nagios to monitor the load on your firewall, itmight even be interesting to run an nids to see what happens when youutilize your pentool.

depending on what you're trying to achieve through your pentest on yourfirewall, try something like firestorm or firewalk:


Firewalk 5.0 [gateway ACL scanner]
firewalk: invalid option -- -
Usage : firewalk [options] target_gateway metric
                   [-d 0 - 65535] destination port to use (ramping phase)
                   [-h] program help
                   [-i device] interface
                   [-n] do not resolve IP addresses into hostnames
                   [-p TCP | UDP] firewalk protocol
                   [-r] strict RFC adherence
                   [-S x - y, z] port range to scan
                   [-s 0 - 65535] source port
                   [-T 1 - 1000] packet read timeout in ms
                   [-t 1 - 25] IP time to live
                   [-v] program version
                   [-x 1 - 8] expire vector

Usage: fragroute [-f file] dst
Rules:
       delay first|last|random <ms>
       drop first|last|random <prob-%>
       dup first|last|random <prob-%>
       echo <string> ...
       ip_chaff dup|opt|<ttl>
       ip_frag <size> [old|new]
       ip_opt lsrr|ssrr <ptr> <ip-addr> ...
       ip_ttl <ttl>
       ip_tos <tos>
       order random|reverse
       print
       tcp_chaff cksum|null|paws|rexmit|seq|syn|<ttl>
       tcp_opt mss|wscale <size>
       tcp_seg <size> [old|new]

there are other nix tool that you would use to start the recon theunderstand the perimeter before you actually starting usinginjecting/hijacking/analysis tool for full penetration...


/gene

Jason Dixon wrote:

My apologies if this isn't the right forum for this question;  I'm
running into great difficulty finding the right tool for this job short
of writing my own.  All of the other lists I've tried have come up
blank.

Basically, I'm looking to test a firewall's capabilities.  At the very
least, I'd like to have endpoint-to-endpoint creation and analyzation of
thousands of concurrent, possibly varying in protocol type, connections
through the firewall.  At the very most, I'd like something to pen/load
test the firewall in order to determine maximum states, connections (vpn
and otherwise), etc.

Is anyone familiar with a good toolkit or collection of *nix utilities
that will do what I'm looking for?

TIA,
J.




----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



--
Gene Yoo, gyoo () attbi com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

Firewall Load Testing Jason Dixon (Dec 10)
- Re: Firewall Load Testing Kurt Seifried (Dec 10)
- Re: Firewall Load Testing Gene (Dec 10)
- <Possible follow-ups>
- RE: Firewall Load Testing Brass, Phil (ISS Atlanta) (Dec 10)
  - Re: Firewall Load Testing Andrea Barisani (Dec 11)