This is a discussion on Re: [fw-wiz] How automate firewall tests - Firewalls ; Hello, thanks for all the answers! On Thu, 17 Aug 2006 13:33:58 -0400 "Marcus J. Ranum" wrote: > You've chosen a fairly interesting problem. What do you intend to > measure about a firewall? I'd like to test security instead ...
Hello, thanks for all the answers!
On Thu, 17 Aug 2006 13:33:58 -0400
"Marcus J. Ranum"
> You've chosen a fairly interesting problem. What do you intend to
> measure about a firewall?
I'd like to test security instead of perfomance. In my study
performance could be important to test if they can generate a security
problem. For example, if a packet filter or an application proxy under
heavy traffic don't filter correctly as they do in normal situation,
I'd like to see that.
Many days ago I read the firewall whitepaper of ICSA labs
and I saw at page 6 that the main problems about firewalls (or packets
filter) was related at reply attacks, tcp pre-session packets,
fragmentation and so on... I had in mind these types of tests in my
> There's a paper or two that might help you. One (search for
> "Ranum Kostic Molitor") is quite ancient, but the problem remains
> the same. Email me privately if you want a copy; I can see
> if I can find it.
Oh thank you. I'll read it if you can find a copy because on google I
don't find nothing :-(
> Another is a paper I did back in the NFR days
> on how to cheat on IDS benchmarks. It's highly relevant.
I read this message. Well, my idea is a bit more modest than that, but
anyway I'm confused about how organize all the "penetration tests" in
a pseudo automatic and logical way. Until yesterday I thought that it
would be enough design a tool for doing synscan, ackscan, fragmentation
stuff ecc... today I'm not so sure..
> is a repeat thread of this topic from 2002. See also:
I'm not interested in IDS at the moment but I read with pleasure that
paper. It shows how will be hard for me design something useful and not
On Fri, 18 Aug 2006 09:30:07 -0400
"Marcus J. Ranum"
> Durga Prasad wrote:
> >There are couple of tools which test if a firewalling is leaking any
> People still rely on packet-based firewalls??!!! You're joking,
> right? It's 2006!
Mmmm, maybe I wrong, but I read in one of my book called "Inside Network
Perimeter Security" the importance of defense in depth. It seems that a
packet-based firewall is anyway useful in many situations, or not?
On Fri, 18 Aug 2006 10:17:13 +0200
> What I would like, is a tool able to answer 2 questions:
> 1/ what is the security level of my firewal platform (OS security,
> patches up to date, is the firewall protect itself well, ...)?
> 2/ is the configuration of that firewall compliant with my security
> The second point requires a tool able to *understand* a security
> policy. And that requires a tool able to *model* a security policy.
I think this would be great but a bit far from my possibility.
> Then, you have to code a security policy checker. And analyzing the
> firewall configuration files is *not* the right way: you have to find
> an external way to check that to be sure that the firewall
> implementation of the security policy is right. That means accepting
> the authorized data flows, *and* reject all others kind. The
> difficult part is to check 'all others kind of data flows', including
> tunneling, covert channel, ...
Considering netfilter as example about this, do you mean something like
a software that parse the output of the iptables-save command and than
automatically generate, first, all the traffic allowed, then all other
tcp/ip traffic to see if something can bypass the firewall? You right
it's a big problem, I'll see..
Thanks to all, thanks for the "good luck", I really need it :-)
firewall-wizards mailing list