Hello, thanks for all the answers!

On Thu, 17 Aug 2006 13:33:58 -0400
"Marcus J. Ranum" wrote:

> You've chosen a fairly interesting problem. What do you intend to
> measure about a firewall?

I'd like to test security instead of perfomance. In my study
performance could be important to test if they can generate a security
problem. For example, if a packet filter or an application proxy under
heavy traffic don't filter correctly as they do in normal situation,
I'd like to see that.
Many days ago I read the firewall whitepaper of ICSA labs
and I saw at page 6 that the main problems about firewalls (or packets
filter) was related at reply attacks, tcp pre-session packets,
fragmentation and so on... I had in mind these types of tests in my
first email.

> There's a paper or two that might help you. One (search for
> "Ranum Kostic Molitor") is quite ancient, but the problem remains
> the same. Email me privately if you want a copy; I can see
> if I can find it.

Oh thank you. I'll read it if you can find a copy because on google I
don't find nothing :-(

> Another is a paper I did back in the NFR days
> on how to cheat on IDS benchmarks. It's highly relevant.
> http://www.mail-archive.com/firewall.../msg22759.html

I read this message. Well, my idea is a bit more modest than that, but
anyway I'm confused about how organize all the "penetration tests" in
a pseudo automatic and logical way. Until yesterday I thought that it
would be enough design a tool for doing synscan, ackscan, fragmentation
stuff ecc... today I'm not so sure..

> is a repeat thread of this topic from 2002. See also:
> http://www.snort.org/docs/Benchmarking-IDS-NFR.pdf

I'm not interested in IDS at the moment but I read with pleasure that
paper. It shows how will be hard for me design something useful and not
a toy.

On Fri, 18 Aug 2006 09:30:07 -0400
"Marcus J. Ranum" wrote:

> Durga Prasad wrote:
> >There are couple of tools which test if a firewalling is leaking any
> >packets.

> People still rely on packet-based firewalls??!!! You're joking,
> right? It's 2006!

Mmmm, maybe I wrong, but I read in one of my book called "Inside Network
Perimeter Security" the importance of defense in depth. It seems that a
packet-based firewall is anyway useful in many situations, or not?

On Fri, 18 Aug 2006 10:17:13 +0200
Jean-Denis Gorin wrote:

> What I would like, is a tool able to answer 2 questions:
> 1/ what is the security level of my firewal platform (OS security,
> patches up to date, is the firewall protect itself well, ...)?
> 2/ is the configuration of that firewall compliant with my security
> policy?

Ok, learned.

> The second point requires a tool able to *understand* a security
> policy. And that requires a tool able to *model* a security policy.

I think this would be great but a bit far from my possibility.

> Then, you have to code a security policy checker. And analyzing the
> firewall configuration files is *not* the right way: you have to find
> an external way to check that to be sure that the firewall
> implementation of the security policy is right. That means accepting
> the authorized data flows, *and* reject all others kind. The
> difficult part is to check 'all others kind of data flows', including
> tunneling, covert channel, ...

Considering netfilter as example about this, do you mean something like
a software that parse the output of the iptables-save command and than
automatically generate, first, all the traffic allowed, then all other
tcp/ip traffic to see if something can bypass the firewall? You right
it's a big problem, I'll see..

Thanks to all, thanks for the "good luck", I really need it :-)

Strabla Ruggero
firewall-wizards mailing list