From: Javier Fernandez-Sanguino (jfernandez@germinus.com)
Date: Mon Feb 14 2005 - 18:03:20 EST
Greg Dreelin wrote:
> I have a question to present that is in need of a good answer. The
> question I have is "Is there any good programs for VAP testing routers,
> switches, and firewalls?" I know there is the Router Assessment Tool (RAT)
> for Cisco router and there is FTEST for firewalls, but are there any other
> programs that can be loaded on to a Laptop Toolkit that can do the testing?
> Looking for a all in one program if there is such a thing. If anyone has
> any good ideas please let me know. Thanks ahead.
Let me summarise some of the answers in this thread, and to take the
opportunity of adding some of my own answers (and bias!). I belive
this is a topic that might interest quite a number of people...
From my POV you can actually do three kind of testing when testing
routers/switches/firewalls, one passive (configuration review) and two
active (end-to-end and pen-testing):
-----------------
White box testing
-----------------
That is review the configuration of the system itself (both the OS
configuration and the firewall rules itself). That's where the Router
Audit Tool (rat) fills in for routers (and maybe switches) by
reviewing the configuration (you need to either get access to it or
have the customer provide you with it) and pointing out common
configuration mistakes. That's also where Algosec's Firewall Analyser
fits in, it reviews the firewall configuration and provides you
feedback on errors. A good overview of these configuration errors is
Avishai Wool's "A Quantitative Study of Firewall Configuration Errors"
(published in IEEE Computer last year)
Notice that RAT needs to be used together with some good definitions
and I believe only the Center of Internet Security has some out there
(anyone else?) and that the definitions available (at least those I
know of) are Cisco-specific.
As for Algosec's FA, AFAIK it currently supports either Cisco PIX or
Check Point Firewall-1.
There are some other analysis tools out there that people have not
mentioned, like Brad Downey's Cisco PIX ACL Parser, Volker Tanger's
fw1rules,
In the end, products that do white-box testing help consultants do a
fast automatic review. You can do this "by hand", probably investing
more time and needing more expertise. Obviously, you would need to:
- get your hands into good security reference material either provided
by the vendor or from other sources. For example, NIST's Special
Publication 800-41 "Guidelines on Firewalls and Firewall Policy" is a
good read as is CERT's "Test the firewall system." (a practice from
the CERT Security Improvement Modules)
- and/or seek assistance of certified professionals that know their
way around the vendor's product and can pinpoint security issues.
Obviously, if the switch/router/firewall is deployed on an standard OS
(think "Windows ISA Firewall" or, IMHO more common, "Solaris
Checkpoint Firewall") you need to review the underlying OS to make
sure that it has been properly hardened. Some vendors provide tips on
hardening underlying OS, I personally find some of them lacking and it
looks to me that one of the reasons the firewall market is providing
firewall appliances is just because people don't know how to properly
harden a system. E.g. Nokia's IP Firewalls, are appliances running
IPSO, a hardened FreeBSD, and Check Point Firewall-1.
------------------
End-to-end testing
------------------
This testing is oriented towards testing router's ACL or firewall
rules. You actually first manually review the rules (to know where you
are heading) and then plug two devices on different networks to which
the firewall/router is connected to and pump up traffic. You can
actually see two things with this testing:
1.- If the firewall implements the defined rules properly and whether
there are implicit rules that overlap with the rules defined and cause
unexpected situations (traffic from A to B should be blocked but it is
not)
2.- What kind of firewall is this (is it a stateful firewall?) and how
does it handle traffic (can it be DoSed with small fragments? does it
traffic that will Syn-flood the boxes it protects? etc.)
Any traffic generation is useful for this. This includes some
firewall-specific testing tools such as:
(free, as in freedom)
- Andrea Barisani's Ftester -
http://www.infis.univ.trieste.it/~lcars/ftester/
- Mike D. Schiffman's Firewalk - http://www.packetfactory.net/firewalk
- Renaud Deraison's filterrules
- Thomas Biege's AssItch
(propietary)
- Blade Software's Firewall Informer -
http://www.blade-software.com/FWInformer.htm
And, obviously, anything that can throw traffic on one side and a
network analyser on the other side. I would personally choose (and it
seems I'm not alone):
- Fyodor's Nmap - http://www.insecure.org/nmap/
- Isic tools - http://www.packetfactory.net/projects/ISIC/
- GomoR's Net::Packet - http://search.cpan.org/~gomor/
- Darren Bounds's http://packit.sourceforge.net
- Gspoof - http://gspoof.sourceforge.net/
- Scapy - http://www.cartel-securite.fr/pbiondi/projects/scapy.html
Some of this testing is actually described in the OSSTM (read the
section 'Access Control Testing') and some of this is also covered in
the tests that firewall vendors take when they certify their firewall
with the ICSA stamp (you might want to check out some of the firewall
testing done at their labs there).
Also, if you want to do it in depth you need to do it for every
combination of interfaces the firewall has (and in both directions) so
you actually need to do (Interfaces) x (Interfaces-1) tests. That is,
if you have two interfaces A and B that would be two tests, from A->B
and B->A. If you have three interfaces then you need to do six tests
(3*2) (A->B, A->C, B->A, B->C, C->A, C->B), four interfaces 12 tests,
five interfaces 20 tests and so on. Usually you are interested on a
few tests based on the firewall zones (from the Internet to the DMZ
and from the Internet to the internal network), but you can gain a lot
of insight if you test other combinations (i.e. what can an attacker
in your DMZ do to your internal systems?)
-------------------
Penetration testing
-------------------
This is actually a combination of the test above and penetration
testing against the router/switch/firewall itself. In this test you
look at how the ACLs are implemented both protecting the networks the
network device connects to and how those ACLs protect the firewall.
You also look at the device from a network device perspective.
Some common questions: does it have other management interfaces? can I
gain access to them? (a substed of this question is: is it snmp
managed? can I brute force the SNMP community?) how can this device be
abused to leverage access to the network? (i.e. arp-spoofing controls
when testing switches, TCP/IP spoofing attacks when testing
firewalls), etc.
Obviously, the number of tools you can use here is enormous. All
generic penetration test tools will be useful here, as will many
network-based attack tools, some specific brute-force tools and proper
lists of common passwords for network devices.
Regards
Javier
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:16 EDT