Although this doesn't directly address the rule base you can try an "nmap -sS -P0 -v <Host>" against your firewall. If your firewall does static NAT set host = to the subnet for which it performs NAT. This will perform a SYN scan against your firewall with verbose logging and force a scan for all specified addresses in the range. Any gaping holes should show up, maybe even some smaller ones. Additionally replace the -sS with other options to perform other scan types, connect scans are another good option. A few of these and you will have a good understanding of what the "Script Kiddies" and others are likely to see when they scan your firewall. Sometimes there is no better way than to view it from their perspective. *Disclaimer* Run this against devices for which you are the adminstrator or where you have obtained the administrator's permission prior to scanning. Many people will take offense to blind scans of their resources and may report you to your ISP.
Ken Claussen MCSE CCNA CCA "In Theory it should work as you describe, but the difference between theory and reality is the truth! For this we all strive" -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Richard Saddington Sent: Wednesday, December 05, 2001 2:53 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: How easy is it to configure a rulebase. Thanks for your response, The point you make about a firewall not telling you that you have left a whole in the security is useful. What i am trying to find out is common issues where administrators have configured a rulebase that looks correct and may work correctly, only to discover at a later date they have left a wide open hole somewhere. Either because rules function differently to expected they didn't test every possible rule boundary. The point I was hoping to get feedback on was altering an existing rulebase to incorporate changes in an organisations security policy. Should the whole rulebase be reworked or can extra rules just be added to the end? Then comes the issue of performance, should rules that permit the most amount of traffic be given priority over more defined rules? Any comments welcome. Regards Richard >From: "Hiemstra, Brenno" <[EMAIL PROTECTED]> >To: "'Richard Saddington'" <[EMAIL PROTECTED]>, >[EMAIL PROTECTED] >Subject: RE: How easy is it to configure a rulebase. >Date: Wed, 5 Dec 2001 11:22:18 +0100 > >Richard, > >In my opinion it's not the way "how easy it is" to configure >a rulebase. I don't care how easy as long as it's good, functional >and more of all secure. > >I think firewall administration is not for anyone that knows >how to make a rule in CP FW-1. You need to know more >to setup a right rulebase. You need to know more about >what service you are going to allow and what the implications >are on the firewalls / server. > >Firewall administration doesn't need to be made easy because >a firewall will not tell you that you made a wrong rule that opens >up your whole network. Firewall administration needs to be made >thorough and secure. A good viewable GUI is an advantage but >if the firewall itself lacks security that doesn't make it more secure. > >Administrating a firewalls ruleset in a plain text file maybe a >pain in the ass if the rulebase is big but then you will learn >administrating firewalls the hardway (in my opinion). Its still >possible to openup the rulebase more then it need though! > >Just my thoughts.. > >Regards, > > >Brenno > > > -----Original Message----- > > From: Richard Saddington [SMTP:[EMAIL PROTECTED]] > > Sent: dinsdag 4 december 2001 13:59 > > To: [EMAIL PROTECTED] > > Subject: How easy is it to configure a rulebase. > > > > Hi All, > > > > I am an undergrad student researching firewall technologies, >specifically > > > > how rulebases are configured to filter packets. > > > > What I would like to know is problems people have had configuring rule > > tables, e.g. getting the rules in the right order, difficulties > > implementing > > the security policy/changes in security policy etc. > > > > The two products I have been looking at are CP's Firewall-1 and the > > Netscreen-100. Any info on rulebases on these firewalls would be most > > useful. > > > > Cheers > > Richard > > > > > > > > _________________________________________________________________ > > Get your FREE download of MSN Explorer at >http://explorer.msn.com/intl.asp > > > > _______________________________________________ > > Firewalls mailing list > > [EMAIL PROTECTED] > > http://lists.gnac.net/mailman/listinfo/firewalls >_______________________________________________ >Firewalls mailing list >[EMAIL PROTECTED] >http://lists.gnac.net/mailman/listinfo/firewalls _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
