Penetration Testing mailing list archives
Re: Firewall rulebase automation - Grey Box assessment
From: "arvind doraiswamy" <arvind.doraiswamy () gmail com>
Date: Thu, 26 Jun 2008 09:23:40 +0530
@Clement: As of now when there is a function for redundant rules in which I only check exact matches. So for example if there is a rule in which a group has been allowed access to port 45678. Later on the admin forgets and there is a new request and hence a new rule created to allow a person(IP) in the earlier group access to 45678. On expansion of the object group both the rules are exactly the same provided ofcourse other parameters are the same. but I get your point and what you ask for is on my radar and I will be releasing it very shortly..its part of my wishlist if you look at the Readme ;) @Peter: I'd always heard of Nipper and truth to tell I looked at it after I made this. However there are differences thankfully(I got lucky ;) ). They are: a)Nipper as of now focusses on numerous things - rulebase included but primarily targets any rules in the rulebase and not other "logically" weak rules. I tried to make this look at a firewall a bit mor intutively and check various other types of rules..if you look at the ReadMe you'll know what all exactly I'm looking at. A quick snapshot is: check_any() //Rules with any in them check_entire_subnet() //Rules where entire subnet allowed check_port_range() //Rules where large range of ports are allowed check_cleartext_protocols() //Rules where clear text protocols like telnet or tftp are used check_redundant_rules() //Rules which are defined twice, once inside object group or which are unnecessary check_default_rules() //Rules which are implied in that particular make of firewall check_deny_log() //Rules which are deny are logged check_firewall_access() //Rules allowing access to the firewall itself b)Nipper checks a lot of other things -- settings on a firewall itself. Things which are done when hardening a box. I dont do anything of that - I'm focussing just on the rulebase. c)Nipper currently has support for multiple devices and gives output in a very neatly readable HTML format as well. Mine is clunky at best and I hope to improve that as well. However all said and done - I've tried to build something where two major goals are addressed: 1) I know exactly what rules are aproblem so I can narrow down further 2) I can add support for as MANY firewalls as I want Thanks for the feedback...do keep it coming so I can improve further. Cheers Arvind ------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- Firewall rulebase automation - Grey Box assessment arvind doraiswamy (Jun 25)
- Re: Firewall rulebase automation - Grey Box assessment Clement Dupuis (Jun 25)
- RE: Firewall rulebase automation - Grey Box assessment Naveed Ahmed (Jun 25)
- RE: Firewall rulebase automation - Grey Box assessment Chris Brenton (Jun 26)
- RE: Firewall rulebase automation - Grey Box assessment Peter Parker (Jun 27)
- RE: Firewall rulebase automation - Grey Box assessment Naveed Ahmed (Jun 25)
- Re: Firewall rulebase automation - Grey Box assessment Clement Dupuis (Jun 25)
- Re: Firewall rulebase automation - Grey Box assessment Peter Parker (Jun 25)
- Re: Firewall rulebase automation - Grey Box assessment Nikhil Wagholikar (Jun 27)
- Re: Firewall rulebase automation - Grey Box assessment Rick Zhong (Jun 29)
- <Possible follow-ups>
- Re: Firewall rulebase automation - Grey Box assessment arvind doraiswamy (Jun 25)