On 8/18/06, Jean-Denis Gorin wrote:
> Strabla Ruggero wrote:
> >What I need is someone that could tell me which type of tests you do on
> >your firewalls and that you like too see automated

> What I would like, is a tool able to answer 2 questions:
> 1/ what is the security level of my firewal platform (OS security, patches up
> to date, is the firewall protect itself well, ...)?
> 2/ is the configuration of that firewall compliant with my security policy?

If you don't mind commercial tools, then
I suggest that you take a look at the AlgoSec Firewall Analyzer
It will do all of item 2 and part of item 1
(check that the firewall policy protects the firewall itself)

> The first point could be achieved with tools like vulnerability scanner,
> malformed packet scanner, patch manager, and so on. You have to add a tool able
> to audit the security configuration of the firewall to check what is the level
> of auto protection


> The second point requires a tool able to *understand* a security policy. And
> that requires a tool able to *model* a security policy.
> Then, you have to code a security policy checker. And analyzing the firewall
> configuration files is *not* the right way: you have to find an external way to
> check that to be sure that the firewall implementation of the security policy is
> right. That means accepting the authorized data flows, *and* reject all others
> kind. The difficult part is to check 'all others kind of data flows', including
> tunneling, covert channel, ...

I agree with almost all the above except the statement
"analyzing the firewall configuration files is *not* the right way"
It's not very easy to do, certainly not easy to do *well*, but it is
very possible!
if you are interested, you can find some academic
papers about how it works at:

The AlgoSec firewall analyzer implements all the things you mentioned,
and then some: it parses the config files, builds a model,
does a comprehensive offline analysis of what the firewall is
configured to allow,
and then compares the results with a knowledge base about what is risky.


..disclosure: I created the firewall analyzer starting at Bell Labs
circa 1998, then at
Lumeta, and now at AlgoSec. So I am naturally biased.

> _______________________________________________
> firewall-wizards mailing list

firewall-wizards mailing list