On Thu, 21 Mar 2002, Fredy Santana wrote:
> Hi Everybody: > > I'm analizing a firewall-1 rulebase of 79 rules. Maybe you're thinkin I'm > driving crazy wich is certainly true. Does anybody know some method to > analize the rules of a firewall-1 or in general a huge firewall rulebase? One of the probelms with a task like this is it's very much like trying to edit a paper you wrote yourself for typos and gramatical errors. Your too close to the 'final' product to see the errors in your own work. > > I'm trying to find, by example, which services are allowed from internet > to internal network or which machines are visible from internet... things > like that. > If the expense of hiring an outside auditing firm preclused you from doing so, then rather then concentrate upon looking at the GUI layout of the rules you put together to enforce the companies policy, try some of the various port scanning and vulnerability scanning tools avabileble, quite a few are free. Don't rely upon a single "scanner's" output, try a number of them, then compare the results they give you to get a better idea of what things each was able to discover and what might actually be open to the outside in or inside out, scan from both sides of the perimiter, and scan from the perimiter boundries like your DMZ<s>. Compare your findings with the various CVE databses being built to 'rate' the potential vulnerabilits and compare those issues with your risk assesment data to determine if it fits with your potentials definitions of adequet risk, and to determine what issues need to be dealt with in which order of magnitude. Various tools available: nmap; is an old standby, cheap and very stable, be ware of the fact that some of it;s scans can DOS out some equipment, especially older equipment. sara; another good 'cheap' toy nessus; make sure you update it's signatures frequently raccess; new and under constant developement, but, a not too bandwidth intensive and a good way to get attention in budget consideration times, also can help to demonstrate problems to skeptics. amap; also new and being upgraded at a pretty constant rate. mothra2; a nice little banner scanner, small footprint, easy on bandwidth <I've used it on dialup connections in multiples and still been capable of doing other work while it chugged away> was recently announced on the vulbugtraq list, and has been upgraded immensly since it's first incaration mothra, find it at : http://methodic.angrypacket.com/mothra2.tar.gz Need to check those screening routers? A couple of recent tools to help here: irpas_0.10.tar.gz rat-1.0.tar.gz and various other tools can help one to determine not only how well their rule base is keeping corporate policies, but also help to determine how current the various sourceballs are of the services being offered up, inside and out. Far too many folks concentrate upon the outside in perspective and fail to take into account that the reverse, inside out, perspective is as, if not more serious in policy definition and compliance. Thanks, Ron DuFresne > I hope your help > > Regards from Chile > Fredy R. Santana V. > Ingeniero Civil El�ctrico - CCSA - CCDA > Orion 2000 - Servicios Profesionales en Seguridad Inform�tica > La Concepcion 322 piso 12, Providencia. > Santiago, Chile > Fono: 56-2-6403944, Fax: 56-2-6403990 > e-mail: [EMAIL PROTECTED] > http://www.orion.cl > > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
