Re: [fw-wiz] How automate firewall tests

Hello, thanks for all the answers!

On Thu, 17 Aug 2006 13:33:58 -0400
"Marcus J. Ranum" <mjr@xxxxxxxxx> wrote:

You've chosen a fairly interesting problem. What do you intend to
measure about a firewall?

I'd like to test security instead of perfomance. In my study
performance could be important to test if they can generate a security
problem. For example, if a packet filter or an application proxy under
heavy traffic don't filter correctly as they do in normal situation,
I'd like to see that.
Many days ago I read the firewall whitepaper of ICSA labs
and I saw at page 6 that the main problems about firewalls (or packets
filter) was related at reply attacks, tcp pre-session packets,
fragmentation and so on... I had in mind these types of tests in my
first email.

There's a paper or two that might help you. One (search for
"Ranum Kostic Molitor") is quite ancient, but the problem remains
the same. Email me privately if you want a copy; I can see
if I can find it.

Oh thank you. I'll read it if you can find a copy because on google I
don't find nothing :-(

Another is a paper I did back in the NFR days
on how to cheat on IDS benchmarks. It's highly relevant.

I read this message. Well, my idea is a bit more modest than that, but
anyway I'm confused about how organize all the "penetration tests" in
a pseudo automatic and logical way. Until yesterday I thought that it
would be enough design a tool for doing synscan, ackscan, fragmentation
stuff ecc... today I'm not so sure..

is a repeat thread of this topic from 2002. See also:

I'm not interested in IDS at the moment but I read with pleasure that
paper. It shows how will be hard for me design something useful and not
a toy.

On Fri, 18 Aug 2006 09:30:07 -0400
"Marcus J. Ranum" <mjr@xxxxxxxxx> wrote:

Durga Prasad wrote:
There are couple of tools which test if a firewalling is leaking any

People still rely on packet-based firewalls??!!! You're joking,
right? It's 2006!

Mmmm, maybe I wrong, but I read in one of my book called "Inside Network
Perimeter Security" the importance of defense in depth. It seems that a
packet-based firewall is anyway useful in many situations, or not?

On Fri, 18 Aug 2006 10:17:13 +0200
Jean-Denis Gorin <jdgorin@xxxxxxxxxxxx> wrote:

What I would like, is a tool able to answer 2 questions:
1/ what is the security level of my firewal platform (OS security,
patches up to date, is the firewall protect itself well, ...)?
2/ is the configuration of that firewall compliant with my security

Ok, learned.

The second point requires a tool able to *understand* a security
policy. And that requires a tool able to *model* a security policy.

I think this would be great but a bit far from my possibility.

Then, you have to code a security policy checker. And analyzing the
firewall configuration files is *not* the right way: you have to find
an external way to check that to be sure that the firewall
implementation of the security policy is right. That means accepting
the authorized data flows, *and* reject all others kind. The
difficult part is to check 'all others kind of data flows', including
tunneling, covert channel, ...

Considering netfilter as example about this, do you mean something like
a software that parse the output of the iptables-save command and than
automatically generate, first, all the traffic allowed, then all other
tcp/ip traffic to see if something can bypass the firewall? You right
it's a big problem, I'll see..

Thanks to all, thanks for the "good luck", I really need it :-)

Strabla Ruggero
firewall-wizards mailing list