RE: network policy checking

You may want to look into products from Red Seal, Skybox or other
network-specific compliance analysis tools for your purposes. While Nessus
et al suggested by others would possibly alert you to potential weaknesses
in your network, they would have no bearing on your policies, router
configs, etc.


--
Erin Carroll
Moderator, SecurityFocus pen-test mailing list
amoeba@xxxxxxxxxxxxxx
"Do Not Taunt Happy-Fun Ball"





-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On
Behalf Of Sony C
Sent: Thursday, March 27, 2008 8:46 PM
To: Todd Haverkos
Cc: pen-test@xxxxxxxxxxxxxxxxx
Subject: Re: network policy checking

Todd,

My primary area of interest is to see if the network I am assessing meets
certain best practices, for eg: all the CISCO routers have a certain QOS, or
IPSec/GRE tunnels are supported, etc.
Hope this clarifies things a bit?

Regards,
SC.


----- Original Message ----
From: Todd Haverkos <fsbo@xxxxxxxxxxxx>
To: Sony C <raagamuffin@xxxxxxxxx>
Cc: pen-test@xxxxxxxxxxxxxxxxx
Sent: Thursday, March 27, 2008 10:29:57 PM
Subject: Re: network policy checking

Sony C <raagamuffin@xxxxxxxxx> writes:

Hello fellow pen-testers,

I am looking for tools that perform network policy checking. Specifically,
tools that allow the user to define a policy and then test the network
elements to see if they adhere to this policy. As one might guess, this can
be accomplished either via config file checking (passive) or actual network
testing (active, via SNMP etc).
I am interested in both flavors, if they are available. These tools can be
commercial or open-source/free/shareware.
While it is a broad requirement, this hypothetical tool will primarily be
looking at routers, firewalls, etc.

Thank you in advance for sharing your thoughts.

Hi Sony,

Could you give some examples of specific routers and firewalls you're
looking to check, and what an example "network policy" issues you're
interested in? It might help focus down some of the recommendations.








____________________________________________________________________________
________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now.
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Relevant Pages

  • RE: FreeBSD router two DSL connections
    ... >> control how traffic goes OUT of your network. ... > filtering is simply wrong. ... el-cheapo DSL routers that are network address translators, ... 7206 VXR's now, any ISP under 10,000 customers can easily ...
    (freebsd-questions)
  • Re: Makes no sense to me?
    ... A NIC by itself cannot "join two routers". ... > What I think you want is to have two NICs in EACH server. ... > One NIC on each server connects to a corresponding router and nothing else. ... > shared switch defined on a third IP network ...
    (microsoft.public.win2000.networking)
  • RE: Where is the Wireless line?
    ... If company A has a wireless network No Encryption, ... You know they need security. ... Need to secure your web apps NOW? ... buy it or download a solution FREE today! ...
    (Pen-Test)
  • Re: Users cant see past 2nd nic to connect to internet - new sbs
    ... "You have 2 routers" ... Right click My Network Places...Properties. ... Ethernet adapter Server Local Area Connection: ... Connection-specific DNS Suffix. ...
    (microsoft.public.windows.server.sbs)
  • Re: College ethernet switch problems
    ... your sys admins of the DHCP servers have found relevant MAC address prefixes for the popular broadband routers and denied them from obtaining IP addresses. ... If your network admins are smart, then can detect all kinds of anomalies like downstream switches/hubs, broadband routers, wireless APs, etc. ... That port fee is probably for one port, and the network in your building may only be designed to support one host or two hosts per room. ... After being pissed my router no longer worked i turned off its DHCP server to, i thought, make it act as a switch. ...
    (comp.dcom.lans.ethernet)