RE: firewall auditing/testing

["Chad" <chad () mr-lew com>]

Rocky,
        Looking at your ACL activity logs is good, but how do you KNOW they are
accurate? What I mean is that the activity log TELLS you it denied/allowed a
certain type of traffic, but what did it REALLY do? Some systems will tell
you a packet was dropped, but then a sniffer on the inside will reveal the
packet was actually permitted to pass the ACL.

        To FULLY prove what your firewall is allowing and blocking, you need a few
boxes. Put a separate box on your DMZ and a separate box on your internal
side of your firewall (assuming you want to test your security stance from
the outside). Then make sure those boxes will capture ALL traffic on your
network. This can be done by putting each network segment on a hub
temporarily, or by putting each switchport in a monitor state. You do NOT
want to use any packet capture capability of the firewall as that could be
compromised/suspect.

        Start a sniffer on each one of those boxes to capture ALL traffic. Then
take a 3rd box and place it outside your firewall and using hping2, generate
test packets to probe your ACL. Attempt to connect to all interfaces of the
firewall, servers on the DMZ, true broadcast addresses (255.255.255.255),
network broadcasts (x.x.x.255) and internal hosts. Spoof source addresses to
claim to come from 127.0.0.1, RFC 1918 addresses, internal addresses (that
should not originate outside your firewall), multicast addresses, broadcast
addresses, and spoof the address of the device you are connecting to. Also
try any open ports (TCP & UDP), port 0, port 65535, port 65536, ICMP and any
blocked ports.

        By checking the sniffer captures you can validate that what your ACLs
CLAIMED to have blocked/allowed was in FACT what they DID block/allow. Since
you are not relying on the firewall to report this information, you are in a
sense getting a secondary validation. This approach will also take you from
what you KNOW the firewall is blocking/allowing to what you can PROVE the
firewall is blocking/allowing. That difference can be both subtle and
significant at the same time.

        I followed the same concept when I tested my firewall configuration for my
SANS GIAC Certified Firewall Analyst (GCFW) certification, even though I
would have gone a lot further with my testing if I had not been limited to
space on my certification paper. You can see what I did and see my hping2
scripts at
http://www.giac.org/certified_professionals/practicals/gcfw/0480.php.

        Keep in mind that this method does not fully test any proxy functionality
your firewall may have. You will need to apply some additional methods to
validate additional capabilities outside of packet filtering.

Good luck, and I hope this helps you out some...
Chad

-----Original Message-----
From: Rocky [mailto:pixscreenpoint () gmail com]
Sent: Tuesday, June 13, 2006 7:30 PM
To: pen-test () securityfocus com
Subject: firewall auditing/testing


Hi guys,

I'm new to the list and been reading your email archives but
i have my own question how to test your firewall if its really secured.

Our IT director is really paranoid and he's not confident if our
current firewall security is really secured.

I already presented a NMAP/Nessus audit logs and i even
show to him the activity logs of our ACL that deny/drops
everything from the internet and permit only the basic applications.

Is there any other tools that can penetrate/test the firewall vulnerability?

Thanks,
rocky

----------------------------------------------------------------------------
--
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to
rise,
you need to proactively protect your applications from hackers. Cenzic has
the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request () cenzic com for details.
----------------------------------------------------------------------------
--




------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------