Re: firewall auditing/testing

From: Andrea Barisani (andrea@inversepath.com)
Date: Thu Jun 15 2006 - 04:00:09 EDT


On Wed, Jun 14, 2006 at 07:23:01PM -0400, Chad wrote:

You can try FTester out:

http://dev.inversepath.com/trac/ftester

Cheers

> Rocky,
> Looking at your ACL activity logs is good, but how do you KNOW they are
> accurate? What I mean is that the activity log TELLS you it denied/allowed a
> certain type of traffic, but what did it REALLY do? Some systems will tell
> you a packet was dropped, but then a sniffer on the inside will reveal the
> packet was actually permitted to pass the ACL.
>
> To FULLY prove what your firewall is allowing and blocking, you need a few
> boxes. Put a separate box on your DMZ and a separate box on your internal
> side of your firewall (assuming you want to test your security stance from
> the outside). Then make sure those boxes will capture ALL traffic on your
> network. This can be done by putting each network segment on a hub
> temporarily, or by putting each switchport in a monitor state. You do NOT
> want to use any packet capture capability of the firewall as that could be
> compromised/suspect.
>
> Start a sniffer on each one of those boxes to capture ALL traffic. Then
> take a 3rd box and place it outside your firewall and using hping2, generate
> test packets to probe your ACL. Attempt to connect to all interfaces of the
> firewall, servers on the DMZ, true broadcast addresses (255.255.255.255),
> network broadcasts (x.x.x.255) and internal hosts. Spoof source addresses to
> claim to come from 127.0.0.1, RFC 1918 addresses, internal addresses (that
> should not originate outside your firewall), multicast addresses, broadcast
> addresses, and spoof the address of the device you are connecting to. Also
> try any open ports (TCP & UDP), port 0, port 65535, port 65536, ICMP and any
> blocked ports.
>
> By checking the sniffer captures you can validate that what your ACLs
> CLAIMED to have blocked/allowed was in FACT what they DID block/allow. Since
> you are not relying on the firewall to report this information, you are in a
> sense getting a secondary validation. This approach will also take you from
> what you KNOW the firewall is blocking/allowing to what you can PROVE the
> firewall is blocking/allowing. That difference can be both subtle and
> significant at the same time.
>
> I followed the same concept when I tested my firewall configuration for my
> SANS GIAC Certified Firewall Analyst (GCFW) certification, even though I
> would have gone a lot further with my testing if I had not been limited to
> space on my certification paper. You can see what I did and see my hping2
> scripts at
> http://www.giac.org/certified_professionals/practicals/gcfw/0480.php.
>
> Keep in mind that this method does not fully test any proxy functionality
> your firewall may have. You will need to apply some additional methods to
> validate additional capabilities outside of packet filtering.
>
> Good luck, and I hope this helps you out some...
> Chad
>
> -----Original Message-----
> From: Rocky [mailto:pixscreenpoint@gmail.com]
> Sent: Tuesday, June 13, 2006 7:30 PM
> To: pen-test@securityfocus.com
> Subject: firewall auditing/testing
>
>
> Hi guys,
>
> I'm new to the list and been reading your email archives but
> i have my own question how to test your firewall if its really secured.
>
> Our IT director is really paranoid and he's not confident if our
> current firewall security is really secured.
>
> I already presented a NMAP/Nessus audit logs and i even
> show to him the activity logs of our ACL that deny/drops
> everything from the internet and permit only the basic applications.
>
> Is there any other tools that can penetrate/test the firewall vulnerability?
>
> Thanks,
> rocky
>
> ----------------------------------------------------------------------------
> --
> This List Sponsored by: Cenzic
>
> Concerned about Web Application Security?
> Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
> Choice Award from eWeek. As attacks through web applications continue to
> rise,
> you need to proactively protect your applications from hackers. Cenzic has
> the
> most comprehensive solutions to meet your application security penetration
> testing and vulnerability management needs. You have an option to go with a
> managed service (Cenzic ClickToSecure) or an enterprise software
> (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
> help you: http://www.cenzic.com/news_events/wpappsec.php
> And, now for a limited time we can do a FREE audit for you to confirm your
> results from other product. Contact us at request@cenzic.com for details.
> ----------------------------------------------------------------------------
> --
>
>
>
>
> ------------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Concerned about Web Application Security?
> Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
> Choice Award from eWeek. As attacks through web applications continue to rise,
> you need to proactively protect your applications from hackers. Cenzic has the
> most comprehensive solutions to meet your application security penetration
> testing and vulnerability management needs. You have an option to go with a
> managed service (Cenzic ClickToSecure) or an enterprise software
> (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
> help you: http://www.cenzic.com/news_events/wpappsec.php
> And, now for a limited time we can do a FREE audit for you to confirm your
> results from other product. Contact us at request@cenzic.com for details.
> ------------------------------------------------------------------------------
>

-- 
Andrea Barisani                             Inverse Path Ltd
Chief Security Engineer                     -----> <--------
<andrea@inversepath.com>          http://www.inversepath.com
0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
       "Pluralitas non est ponenda sine necessitate"
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:07 EDT