Re: [fw-wiz] How automate firewall tests

Jean-Denis,

On 8/18/06, Jean-Denis Gorin <jdgorin@computer.org> wrote:[color=blue]
> Strabla Ruggero wrote:[color=green]
> >What I need is someone that could tell me which type of tests you do on
> >your firewalls and that you like too see automated[/color]
>
> What I would like, is a tool able to answer 2 questions:
> 1/ what is the security level of my firewal platform (OS security, patches up
> to date, is the firewall protect itself well, ...)?
> 2/ is the configuration of that firewall compliant with my security policy?
>[/color]

If you don't mind commercial tools, then
I suggest that you take a look at the AlgoSec Firewall Analyzer
[url]http://www.algosec.com[/url]
It will do all of item 2 and part of item 1
(check that the firewall policy protects the firewall itself)
[color=blue]
> The first point could be achieved with tools like vulnerability scanner,
> malformed packet scanner, patch manager, and so on. You have to add a tool able
> to audit the security configuration of the firewall to check what is the level
> of auto protection[/color]

yep
[color=blue]
>
> The second point requires a tool able to *understand* a security policy. And
> that requires a tool able to *model* a security policy.
> Then, you have to code a security policy checker. And analyzing the firewall
> configuration files is *not* the right way: you have to find an external way to
> check that to be sure that the firewall implementation of the security policy is
> right. That means accepting the authorized data flows, *and* reject all others
> kind. The difficult part is to check 'all others kind of data flows', including
> tunneling, covert channel, ...
>[/color]

I agree with almost all the above except the statement
"analyzing the firewall configuration files is *not* the right way"
It's not very easy to do, certainly not easy to do *well*, but it is
very possible!
if you are interested, you can find some academic
papers about how it works at: [url]http://www.eng.tau.ac.il/~yash/fw/index.html[/url]

The AlgoSec firewall analyzer implements all the things you mentioned,
and then some: it parses the config files, builds a model,
does a comprehensive offline analysis of what the firewall is
configured to allow,
and then compares the results with a knowledge base about what is risky.

Avishai.

..disclosure: I created the firewall analyzer starting at Bell Labs
circa 1998, then at
Lumeta, and now at AlgoSec. So I am naturally biased.
[color=blue]
>
> JDG
> _______________________________________________
> firewall-wizards mailing list
> [email]firewall-wizards@listserv.icsalabs.com[/email]
> [url]https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards[/url]
>[/color]
_______________________________________________
firewall-wizards mailing list
[email]firewall-wizards@listserv.icsalabs.com[/email]
[url]https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards[/url]