Re: Firewall rulebase automation - Grey Box assessment

["arvind doraiswamy" <arvind.doraiswamy () gmail com>]

@Clement: As of now when there is a function for redundant rules in
which I only check exact matches. So for example if there is a rule in
which a group has been allowed access to port 45678.  Later on the
admin forgets and there is a new request and hence a new rule created
to allow a person(IP) in the earlier group access to 45678. On
expansion of the object group both the rules are exactly the same
provided ofcourse other parameters are the same. but I get your point
and what you ask for is on my radar and I will be releasing it very
shortly..its part of my wishlist if you look at the Readme ;)

@Peter: I'd always heard of Nipper and truth to tell I looked at it
after I made this. However there are differences thankfully(I got
lucky ;) ). They are:
a)Nipper as of now focusses on numerous things - rulebase included but
primarily targets any rules in the rulebase and not other "logically"
weak rules. I tried to make this look at a firewall a bit mor
intutively and check various other types of rules..if you look at the
ReadMe you'll know what all exactly I'm looking at. A quick snapshot
is:
check_any()     //Rules with any in them
        check_entire_subnet()   //Rules where entire subnet allowed
        check_port_range()      //Rules where large range of ports are allowed
        check_cleartext_protocols()             //Rules where clear text protocols like
telnet or tftp are used
        check_redundant_rules() //Rules which are defined twice, once inside
object group or which are unnecessary
        check_default_rules()   //Rules which are implied in that particular
make of firewall
        check_deny_log()        //Rules which are deny are logged
        check_firewall_access() //Rules allowing access to the firewall itself

b)Nipper checks a lot of other things -- settings on a firewall
itself. Things which are done when hardening a box. I dont do anything
of that - I'm focussing just on the rulebase.

c)Nipper currently has support for multiple devices and gives output
in a very neatly readable HTML format as well. Mine is clunky at best
and I hope to improve that as well.

However all said and done - I've tried to build something where two
major goals are addressed:
1) I know exactly what rules are aproblem so I can narrow down further
2) I can add support for as MANY firewalls as I want

Thanks for the feedback...do keep it coming so I can improve further.

Cheers
Arvind

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in 
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------