RE: FW1 External Ruleset validation tools?

From: Rob Shein (shoten_at_starpower.net)
Date: 09/11/03

  • Next message: Ballowe, Charles: "RE: FW1 External Ruleset validation tools?" 
    To: "'Leif Sawyer'" <lsawyer@gci.com>, <pen-test@securityfocus.com>
Date: Thu, 11 Sep 2003 13:05:06 -0400

    What can you tell us about the nature of the packets? In Checkpoint, there
    are "Implied" rules that govern things like UDP responses and DNS
    communications. In many cases, firewall testing tools will not replicate
    the real-world interactions that these rules are meant for.

    > -----Original Message-----
    > From: Leif Sawyer [mailto:lsawyer@gci.com]
    > Sent: Wednesday, September 10, 2003 1:04 PM
    > To: pen-test@securityfocus.com
    > Subject: FW1 External Ruleset validation tools?
    >
    >
    > Hello,
    >
    > I'm looking for a way to audit my firewall ruleset, in
    > a very specific manner.
    >
    >
    > I've gotten reports of packets traversing our firewall
    > that should not be allowed by any of the rules currently implemented.
    >
    > What is the easiest way to find out what rule line the
    > supposed packet could be traversing, without logging on every
    > single rule? This is interesting because it is a random
    > occurance, with no way to know when it will happen. And I
    > dislike the idea of full logging until I see the violation
    > again -- I just don't have the diskspace, for one.
    >
    > Something like an external program that would allow a crafted
    > packet to be 'virtually' sent through the ruleset would be perfect.
    >
    > Does such a tool exist? Preferably supporting Checkpoint FW-1 NG
    >
    > Thanks
    >
    > Leif Sawyer
    > --
    >
    > "It's pronounced Layf...you know, like Leif Garret? Don't you
    > watch 'I Love the 70's'? What kind of retro lover are you, anyway?"
    >
    >

    ---------------------------------------------------------------------------
    FREE Trial!
    New for security consultants and in-house pros: FOUNDSTONE PROFESSIONAL
    and PROFESSIONAL TL software. Fast, reliable vulnerability assessment
    technology powered by the award-winning FoundScan engine. Try it free for 21 days at: http://www.securityfocus.com/sponsor/Foundstone_pen-test_030825
    ----------------------------------------------------------------------------

  • Next message: Ballowe, Charles: "RE: FW1 External Ruleset validation tools?"

    Relevant Pages

    • [fw-wiz] Checkpoint - Out of state packet
      ... We are having Nokia Checkpoint in load balancing mode. ... What is worrying is source IP of the packets is of the Firewall ... instances when we get DROP traffic logs with source-address as of the ...
      (Firewall-Wizards)
    • Re: Stateful & Packet based firewalls?
      ... > AFAIK "Statefull Inspection" is a term, defined by Checkpoint, which ... > means the firewall is able to check packets up to layer 7, ...
      (comp.security.firewalls)
    • Re: iptables and dhcp
      ... > the same physical network segment as the firewall and the remote DHCP ... You used INPUT and not FORWARD chain ... # This target allows packets to be marked in the mangle table ...
      (comp.os.linux.networking)
    • Re: Trouble accessing Outlook Web Access from behind firewall
      ... When starting the firewall I also set ... > rejected and dropped packets are logged, however I see nothing in my log ... > # Higher ports needed to accept incoming/outgoing calls ...
      (comp.security.firewalls)
    • Re: Visnetic and 8signs firewall LOOPHOLE Read....
      ... I said I am just reporting bug in your Firewall, ... From the Port Scan/Properties control screen: ... The firewall filtered 100% of the packets that were received. ... operating system (I'm talking Windows, ...
      (comp.security.firewalls)