firewall testing framework/parameters

• Previous message: Erlend J. Leiknes: "Re: Medium Scale Scanning Best Practices"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 16 Jan 2002 10:28:34 +0000 (GMT)
From: Siddhartha Jain <losttoy2000@yahoo.co.uk>
To: pen-test@securityfocus.com

Hi,

I am in the process of preparing a framework/parameter
list on which a firewall would be tested. Here are
some tests i can think of on which a firewall should
be tested:

1. Sustained TCP connections, thoughput & number. Eg.
FTP

2. Short-lived TCP connections, throughput, number,
connection establishment and tear-down time. Eg.
SMTP/HTTP

3. Sustanied UDP connections (although UDP is
connectionless), throughput & number. Eg. Streaming
video/audio.

4. Short-lived UDP communication, number. Eg. DNS.

5. ICMP RTT at diferent load levels.

6. SYN Flood test

7. Connection establishment time wrt to number of
rules on the firewall.

8. Filtering and fragmentation
- Reaction of the firewall on receiving a TCP packet
with the RST or ACK flag set.
- IP fragmentation re-assembly test.
- Overlap recognition

9. Are existing checksums for IP, TCP and UDP
verified?

10. A portscan of the firewall IP. Of the servers
behind the firewall.

11. Nessus tests on the firewall IP and the servers
behind the firewall.

12. All the tests repeated with static NAT enabled.

13. All the tests repeated with IPSec.

14. Effect of logging on the these tests.

15. Attempt to reach denied ports behind the firewall
when the firewall is saturated. Or in the other words,
test if the firewall turns blind during a SYN Flood?

Can you think of more tests for stressing/penetrating
the firewall. Also, what methodology should be adopted
to measure the various test results?

Any help would be appreciated.

Regards,

Siddhartha

__________________________________________________
Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
http://uk.my.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

• Previous message: Erlend J. Leiknes: "Re: Medium Scale Scanning Best Practices"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: bind() udp behavior 2.6.8.1 ... i am aware that UDP is connectionless. ... However in terms of a firewall ... high port outbound connections destined for a DNS server will never be ... sort this out, we only have source ip and port. ... (Linux-Kernel) Re: What is the Pattern here ? ... These are all Dialup Connections that I had no connection with at the time. ... It's obviously an enormous security hole, ... > and a real firewall box. ... (comp.security.firewalls) Re: Black Ice confesses faulty program!!! ... > outgoing connections or traffic except in cases where these connections ... > "dangerous/suspicious" traffic by the BlackICE program. ... > get into your machine then even a PC *without* a firewall is completely ... If you don't think "Spyware" is a problem for computer ... (comp.security.firewalls) Re: Port 135 ... The patch doesn't disable DCOM / RPC, so connections can still be made. ... That's why you need a firewall. ... the patch is not the thing to control ... control over your TCP/IP ports and services, ... (microsoft.public.security) Re: Networking/Security Question... ... The router itself will be a Cisco 1721. ... >setup is very simple... ... XP sp2 having the firewall on by default. ... > # but deny established connections that don't have a dynamic rule. ... (freebsd-net)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint