RE: firewall auditing/testing

[Ralph Forsythe <rforsythe () 5280tech com>]

I agree completely with this line:
"In most cases it's a mis-configuration on the actual server and not the 
firewall that is the culprit."

Firewalls are important, but are only one link in the chain of security. 
You could have your firewall configured perfectly, but a vulnerability on 
the server could still be exploited without ever generating a dropped 
packet - and the firewall isn't to blame, the admin is.

One other thing to consider, which is that you have to consider bugs as 
much as vulnerabilities on a firewall.  For example, I know that certain 
versions of OS on a well-known firewall line behave in certain ways which 
is both repeatable, and could create a Denial of Service condition.  Since 
a firewall not only needs to protect systems but retain availability while 
under fire, this is something I would research for my platform.

If the system is configured right but a carefully-crafted packet on a 
permitted port can spike the CPU, or certain traffic through a VPN tunnel 
can crash the box, these are things I'd compare to my environment to make 
sure I'm not inadvertently setting myself up for failure.  These types of 
things are sometimes found in OS release notes, but more often on user 
groups (i.e. web forums or email lists) specific to your product, 
discussed by the people who find or exploit those flaws.  These 
"unintentional features" are frequently not shown in a vulnerability 
database, because they can't be used to grant unauthorized access - 
instead they're recorded as "bugs", and just get fixed in subsequent 
software releases.

- Ralph

On Wed, 14 Jun 2006, Robert J. Kraus wrote:

> Rocky,
>
> I guess the question is, are you concerned about the security of your
> firewall itself? Or what security it is providing for the clients and
> servers behind it?
>
> I was not sure which you were talking about the way the questions were
> asked.
>
> If it truly is the vulnerabilities of the firewall you wish to test then
> you need to look up the model of firewall you have in some of the
> vulnerability databases. For instance If I have a WatchGuard x700
> Firebox I would go to sites like
> http://www.securityfocus.com/vulnerabilities and see what
> vulnerabilities are out there for the software I am running on it.
>
> If you are referring to the protection it is providing the hosts,
> servers, and services behind it then you need to make sure you review
> the logs on the firewall AND the servers. For instance, I can look at my
> firewall logs and it will show me that it dropped several attacks
> against my FTP server, great for the firewall! But, if I don't check the
> logs on my FTP server....then what justice am I really providing? You
> still need to look at your application server logs to verify if any
> attacks made it past the firewall. If some in fact did make it past, you
> then need to find out how and modify your firewall rules to prevent it
> from happening again. In most cases it's a mis-configuration on the
> actual server and not the firewall that is the culprit.
>
> I hope this gives you some help with your question.
>
>
>
> Thanks,
>
> Rob Kraus

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------