Re: Firewall Load Testing

From: Gene (gyoo@attbi.com)
Date: Tue Dec 10 2002 - 15:45:20 EST


trying running ntop or nagios to monitor the load on your firewall, it
might even be interesting to run an nids to see what happens when you
utilize your pentool.

depending on what you're trying to achieve through your pentest on your
firewall, try something like firestorm or firewalk:

Firewalk 5.0 [gateway ACL scanner]
firewalk: invalid option -- -
Usage : firewalk [options] target_gateway metric
                    [-d 0 - 65535] destination port to use (ramping phase)
                    [-h] program help
                    [-i device] interface
                    [-n] do not resolve IP addresses into hostnames
                    [-p TCP | UDP] firewalk protocol
                    [-r] strict RFC adherence
                    [-S x - y, z] port range to scan
                    [-s 0 - 65535] source port
                    [-T 1 - 1000] packet read timeout in ms
                    [-t 1 - 25] IP time to live
                    [-v] program version
                    [-x 1 - 8] expire vector

Usage: fragroute [-f file] dst
Rules:
        delay first|last|random <ms>
        drop first|last|random <prob-%>
        dup first|last|random <prob-%>
        echo <string> ...
        ip_chaff dup|opt|<ttl>
        ip_frag <size> [old|new]
        ip_opt lsrr|ssrr <ptr> <ip-addr> ...
        ip_ttl <ttl>
        ip_tos <tos>
        order random|reverse
        print
        tcp_chaff cksum|null|paws|rexmit|seq|syn|<ttl>
        tcp_opt mss|wscale <size>
        tcp_seg <size> [old|new]

there are other nix tool that you would use to start the recon the
understand the perimeter before you actually starting using
injecting/hijacking/analysis tool for full penetration...

/gene

Jason Dixon wrote:
> My apologies if this isn't the right forum for this question; I'm
> running into great difficulty finding the right tool for this job short
> of writing my own. All of the other lists I've tried have come up
> blank.
>
> Basically, I'm looking to test a firewall's capabilities. At the very
> least, I'd like to have endpoint-to-endpoint creation and analyzation of
> thousands of concurrent, possibly varying in protocol type, connections
> through the firewall. At the very most, I'd like something to pen/load
> test the firewall in order to determine maximum states, connections (vpn
> and otherwise), etc.
>
> Is anyone familiar with a good toolkit or collection of *nix utilities
> that will do what I'm looking for?
>
> TIA,
> J.
>
>
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please see:
> https://alerts.securityfocus.com/
>
>

-- 
Gene Yoo, gyoo@attbi.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:26 EDT