From: Ballowe, Charles (CBallowe@usg.com)
Date: Thu Sep 11 2003 - 14:49:42 EDT
This is an impractical solution. The initial question wants to be
able to virtually pass a packet through the ruleset and see which
rule it trips first. In order to be sure to get the packet with
the firewall logging, one would have to enable logging on all rules.
I've heard of FW-1 rule bases with 30K rules -- impractical to go
through and turn logging on in each and every one of those. (Most
probably don't have much more than a couple of hundred rules, but
it's still difficult). Also on a large site, one could potentially
have thousands of connections/second and full logging would still
be huge. Filtering the logs for key features of that packet wouldn't
be too bad, but you'd still have to do 2 policy installs to get it
working.
I've wanted a similar tool at times, but most of the time it's for
a spot check and I haven't found that writing a tool at that time
would be worth while, not to mention finding the time to do it and
do it right.
-Charlie
> -----Original Message-----
> From: Steve Shah [mailto:sshah@planetoid.org]
> Sent: Thursday, September 11, 2003 9:32 AM
> To: ravi pina
> Cc: Leif Sawyer; pen-test@securityfocus.com
> Subject: Re: FW1 External Ruleset validation tools?
>
>
> > > I'm looking for a way to audit my firewall ruleset, in
> > > a very specific manner.
>
> Check Freshmeat.net. There is a tool there called pacgen that
> will generate arbitrary IP packets. You can use this to
> recreate your packet.
>
> First test that the packet is making it through your firewall.
> Once you have confirmation of that, enable whatever logging
> feature you want. Send the packet again, stop logging, and
> then sift through what you have. You'll have much less data to
> actually look through and ideally the ruleset being hit/missed
> will show up easily.
>
> -Steve
>
> --
> Steve Shah
> sshah@planetoid.org - http://www.planetoid.org/
> Beating code into submission, one OS at a time...
>
> --------------------------------------------------------------
> -------------
> FREE Trial!
> New for security consultants and in-house pros: FOUNDSTONE
> PROFESSIONAL
> and PROFESSIONAL TL software. Fast, reliable vulnerability assessment
> technology powered by the award-winning FoundScan engine. Try
> it free for 21 days at:
http://www.securityfocus.com/sponsor/Foundstone_pen-test_030825
----------------------------------------------------------------------------
---------------------------------------------------------------------------
FREE Trial!
New for security consultants and in-house pros: FOUNDSTONE PROFESSIONAL
and PROFESSIONAL TL software. Fast, reliable vulnerability assessment
technology powered by the award-winning FoundScan engine. Try it free for 21 days at: http://www.securityfocus.com/sponsor/Foundstone_pen-test_030825
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:39 EDT