|
-
October 26th, 2005, 04:53 AM
#1
Junior Member
Firewall Pen Test
What would be a good approach (other than a port scan) to pen test a firewall and make sure the rules are setup correctly ?
Are their any common/recommended/standard open source tools that are used in the industry. If anyone can point to any good resources or whitepapers, that would be really helpful.
-
October 26th, 2005, 05:11 PM
#2
What type of fire wall are you using?
Assuming you are talking about testing your own firewall, these are the techniques I use on mine. Any ideas you guys have, or techniques you use would also be appreciated. I manage a Cisco 525 PIX and these have always kept me up and running.
1. Apply the new access-list/rules to the interface or review the existing ones. basically make sure you know what you're looking at and looking for.
2. Generate legitimate traffic against the interface to ensure access. This should be done as soon as possible because no matter how many times you looked at and reviewed that access list there is probably something wrong with it
3. Generate illigitimate traffic against the interface to ensure denial of access. This should also be done as soon as possible because this is the whole point of the process. Pen testing is a great tool in this step.
4. view log/hit counters to ensure proper alarm/drop/reset procedures are being applied. (I just alarm/drop outside interfaces no reason to let the baddies know you're actually there if the traffic is illigimate). This can also be where you ensure your IDS is properly configured.
5. This step is just for minimizing memory usage and firewall processing overhead. Depending on the interface and number of rules applied, I will then watch the hitcount after one day and then again after one week to ensure that the most commonly hit rules are applied earlier on the list. If you use a Cisco 515 or higher router you can also compile the access list if there are more than 18 entries (I believe this is the actual number, but I may be wrong). Use compiled/turbo ACL at your own risk.
I've been gone too long.
Cheers,
The_Captain
"Experience is the hardest teacher, it gives the test first and the lesson after." Anonymous
-
October 26th, 2005, 06:10 PM
#3
You might want to have a look at firewalk, understanding it is one tool for looking at one aspect of a firewalls configuration.
http://www.packetfactory.net/firewalk/
There are two rules for success in life:
Rule 1: Don't tell people everything you know.
-
October 26th, 2005, 07:01 PM
#4
You should give some details about your firewall anyhow check this out
http://www.cert.org/security-improve...ices/p060.html
-
October 26th, 2005, 08:36 PM
#5
At a minimum I would run a security scan from outside the firewall. If you are into Linux you can use Nessus as it is free. If not GFI langaurd is pretty good but it is not cheap.
Work... Some days it's just not worth chewing through the restraints... 
-
October 27th, 2005, 02:03 AM
#6
Junior Member
The_Captain et al.
Thanks for the input. I will check out the resources. Firewalk looks interesting.
Actually, I am looking at doing some preliminary testing on a PIX501 (6.3) which I have been using at home for the last few years.
I wanted to audit my rules and make sure they are tight and also at the same time learn a bit more on this topic.
Looks like time to setup a syslog server at home to analyze the logs during the pen testing.
What tools do most folks use to generate traffic ?
I would imagine there is no need (since this is a Cisco PIX product which has a good rep.) but I would like to raise this question anyway: Is there a need to test for packet 'leakage' during high load?
Cheers,
Hattori Hanzo
\"Luck is what happens when preparation meets opportunity.\"
(Roman philosopher, mid-1st century AD)
-
October 27th, 2005, 05:38 AM
#7
you can use nmap, hping, nemesis for generating traffic.
The following link will give you an head start on firewall testing,
http://www.brandonhutchinson.com/tes...all_rules.html
couple of tutorials on the following link that will be useful in firewall tests,
http://wiki.hping.org/33
http://www.wittys.com/files/mab/fwpentesting.html
Or look at HPING - Basic host and port probing. Tut 1 in Series of 5 by thehorse13 , it has four more parts (search in the forums)
Regards
Excuse me, is there an airport nearby large enough for a private jet to land?
-
October 27th, 2005, 11:02 AM
#8
Junior Member
Thanks mmkhan, I will look into those resources as well.
\"Luck is what happens when preparation meets opportunity.\"
(Roman philosopher, mid-1st century AD)
-
October 27th, 2005, 03:59 PM
#9
I would imagine there is no need (since this is a Cisco PIX product which has a good rep.) but I would like to raise this question anyway: Is there a need to test for packet 'leakage' during high load?
If this could happen It will come out with the pen testing tools that have been posted. Let us know how that turns out. With about a 90 % certainty I say you don't have to worry about it though, because unlike a software based firewall the Pix you're using is doing its connection processing and switching decisions in hardware.
"Experience is the hardest teacher, it gives the test first and the lesson after." Anonymous
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
