Firewall Wizards mailing list archives
How do you test a firewall (was Re: your mail -Reply)
From: Bennett Todd <bet () mordor net>
Date: Tue, 7 Jul 1998 13:51:09 -0400
1998-07-02-11:02:47 Laris Benkis:
So,... don't keep us all in suspense. While I find interesting your assertion, and the reasoning behind it, that scanners are the wrong tool to test firewalls, I am more interested in what the right tools are. Who makes these tools and what do they test? If they don't exist currently, and have to be home-grown, what specific tests should they perform?
Right now, there's really no such tool. Available scanners can look at only the most superficial part of the question, at the level of ``well, yes, that looks more like a firewall than e.g. a typical unsecured desktop system of c. 1985''. Part of the problem is that ``what is a firewall'' is a question whose answer is changing rapidly over time. Right now I'd say ``a firewall is a combination of security components configured to enforce a security policy'', which is way too loose to be useful for anything. In some settings a Cisco 2501 with some simple screening rules is all the firewall you need. In other settings you need the best security you can buy, so you might have a Cisco PIX for the external screening router, backed up by an application gateway firewall built using OpenBSD+IP-Filter+fwtk+qmail, with separate interfaces for each DMZ host, each of which is another OpenBSD+IP-Filter bastion. All you can do to evaluate a given firewall is to start with the security policy you want to enforce, then examine the architecture and configuration of the firewall to confirm that it should be able to enforce the policy, then try to think about possible implementation and configuration bugs and devise some probes to give yourself confidence that they're missing. There are companies out there that sell this service. They routinely charge a load of money for the service --- it's an in-depth security audit that starts with a review of the security policy, and hence re-checks that against the organization's needs, and then goes through an implementation audit. With good preparation a team of a half-dozen experts might be able to do this in a month, for a small firm with simple requirements. -Bennett
Current thread:
- Re: your mail -Reply Laris Benkis (Jul 02)
- Re: your mail -Reply tqbf (Jul 07)
- How do you test a firewall (was Re: your mail -Reply) Bennett Todd (Jul 07)
- Re: How do you test a firewall (was Re: your mail -Reply) Perry E. Metzger (Jul 08)