On Tue, 2005-04-12 at 17:16, Persio Pucci wrote:
I am looking for some software to test my firewall rulebase (I am using
StoneGate right now, but it can be a non-vendor-specific tool).
Personally, I just use some form of packet crafting tool on one side of
the firewall and a sniffer on the other to see what gets through. For
example, something like:
nmap –n –P0 –sS –F –oN syn-scan.txt 1.2.3.0/29
allows you to seed nmap-services with the ports you wish to check and do
a pretty quick verification of what gets though. You can even leverage
options like '-T sneaky' to verify the firewall's ability to detect port
scans.
nmap's decoy mode is great for testing outbound policy as well. For
example let's say you have a Web, DNS, & SMTP server hanging off the
third nic of your firewall and you want to test their level of access to
the Internet. Obviously you do not want to install nmap on all of these
systems, as this would make the tool available to an attacker who
compromises the system. Instead, plug your laptop into the subnet and
run something like:
nmap –n –P0 –sS –D ip1,ip2,ip3 –F –oN syn-outbound.txt 5.6.7.8
Where ip1-ip3 is the IP addresses of the three servers, and 5.6.7.8 is
the IP address of a system outside the firewall running a packet
sniffer. nmap will generate an outbound scan using your laptop's IP
address, as well as the IPs of each of your three systems. You then
simply check the sniffer capture to see what gets through.
There are many other possibilities, but you get the idea. Script the
whole thing and you end up with a quick and effective way to test the
policy of a packet filtering firewall that is not product specific.
HTH,
Chris
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
