Penetration Testing mailing list archives
RE: Firewall rulebase checking tool
From: "K K Mookhey" <kkmookhey () niiconsulting com>
Date: Tue, 17 Aug 2010 15:10:19 +0530
Besides the tools mentioned, including the one we make (Firesec), the general approach is two-pronged as I see it: 1. To clean up the configuration from a hygiene/manageability point of view 2. To validate it from a security point of view Besides the obvious (check for rules that allow access to too many ports, dangerous/sensitive ports such as 22/21/23/3389/1433/1521, rules that allow access from/to wide ranges of IP addresses, or from/to critical systems, etc.), some of the more interesting stuff we've found when checking firewall configurations is: 1. Redundant rules Often once a request has passed through all the change management steps, it comes to the firewall administrator, who upon seeing all the t's are crossed and i's are dotted, simply goes and implements the rule on to the firewall configuration. Rarely if ever does he check if the rule might already be in existence or he may have created a super set of an existing rule, thus making the earlier one redundant 2. Shadow rules These rules are often implemented to handle some emergency or critical worm infection. They are found to be completely in contradiction to an already existing rule. The end-result depends on the sequence of the 2 rules. Some firewalls (Netscreen mostly) warn you if you're creating a rule in contradiction to an existing rule. 3. Unused rules As networks are dynamic, systems come and go. But firewall rules tend to remain forever. As a result, if you were to validate the firewall rules against the logs from the same firewall, you would typically find about 50-60% rules in use. The rest would not even be getting any hits. This is easiest to validate on a Cisco firewall (show access list). On the other firewalls if logging has been turned on for the policies, you can easily extract the raw log files and see which policy IDs are being hit (Firesec comes with a Perl script to do this). 4. Unused objects These tend to bloat up the firewall configuration as well. And most firewalls have logical limits on the number of objects you can create. But as rules keep getting added removed, the number of unused objects keeps on growing. 5. PCI DSS compliance The first control domain of PCI DSS deals almost exclusively with firewall configuration. The validation should address this also if the scenario requires PCI DSS compliance. Okay, that's about what comes to mind...:) Cheers, K. K. Mookhey Principal Consultant Network Intelligence Web: http://www.niiconsulting.com Products: http://www.niiconsulting.com/products.html -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Jirka Vejrazka Sent: 17 August 2010 13:10 To: Tracy Reed Cc: pen-test () securityfocus com Subject: Re: Firewall rulebase checking tool
I googled "validate firewall rulsebase" and got this thread at the top of the list. I'm surprised anyone was able to answer this question as phrased.
Well, apparently quite a few people managed to understand what I
meant despite the fact that it's new to Google ;-)
Many thanks to all who responded! I'll take a look at all the
mentioned products, did not know many of them.
Cheers
Jirka
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually
do a proper penetration test. IACRB CPT and CEPT certs require a full
practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT
and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------
Current thread:
- Re: Firewall rulebase checking tool, (continued)
- Re: Firewall rulebase checking tool Christopher A. Jarosz (Aug 16)
- Re: Firewall rulebase checking tool Michal Merta (Aug 16)
- Re: Firewall rulebase checking tool anthony . cicalla (Aug 16)
- Message not available
- Re: Firewall rulebase checking tool anthony . cicalla (Aug 16)
- Re: Firewall rulebase checking tool Nikhil Wagholikar (Aug 16)
- RE: Firewall rulebase checking tool lgpm (Aug 16)
- RE: Firewall rulebase checking tool Hugo V. Garcia R. (Aug 16)
- Re: Firewall rulebase checking tool Scott (Aug 16)
- Re: Firewall rulebase checking tool Tracy Reed (Aug 17)
- Re: Firewall rulebase checking tool Jirka Vejrazka (Aug 17)
- RE: Firewall rulebase checking tool K K Mookhey (Aug 18)
- Re: Firewall rulebase checking tool anthony . cicalla (Aug 18)
- RE: Firewall rulebase checking tool Martinez, Daniel (Aug 18)
- Re: Firewall rulebase checking tool anthony . cicalla (Aug 18)
- Re: Firewall rulebase checking tool Jirka Vejrazka (Aug 17)