³ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄij +-+-+-+-+-+-+-+-+ ÛÛÛÛÛÛÛÛÛ²²²²²±±±±±°°°ð|O|u|t|b|r|e|a|k|ð°°°±±±±±²²²²²ÛÛÛÛÛÛÛ +-+-+-+-+-+-+-+-+ Issue #3 - Page 3 of 12 ³ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄij --=How To Audit Your Firewall=-- -by `Enigma- one of the most important things in having a secure network is a properly configured firewall. in the following paragraphs i will show you how to audit your firewall and firewall rulebase. auditing a firewall setup is a two step process. first you will want to test the firewall itself. then you need to test the rulebase, what kind of traffic do you want to allow to pass through your firewall. to audit your firewall you want to make sure it is secure. this means that no one can access or modify your firewall. first it must be secured physically with controlled access. if someone gains physical access to your firewall you are fucked. next you will want to make sure the operating system you use is fully hardened. scanning your firewall is the next step. run scans from your internal network and the internet, scanning for ICMP, UDP and TCP. ideally you don't want any ports open. a properly configured firewall should have few service to start with. once the firewall is up and running, no ports should be shown unless they absolutely have to. many firewalls leave ICMP open by default, this should really be disabled. if ICMP is open your network can be easily mapped from the internet. if you must have a port or service running, then you can set up a rule that limits what source ips can connect to them. the idea in securing a firewall is to deny access whenever possible. every rulebase should have a lockdown rule at the beginning that denies any traffic to the firewall. that way your firewall is closed off from the world. if you need access to the firewall have the rule go before the lockdown rule. all other rules should go after the lockdown rule. Once you have audited your firewall you will now want to check the rulebase. we do this by scanning every network segment from every other network segment to see what packets can and cannot get through the firewall. you must make sure that the firewall is only accepting traffic you allow. the only way to check this is with a system outside your firewall. that way you can determine what packets can and can't get though. you must remember that your firewall rulebase should deny everything, allowing only that which is specifically allowed. ------------------ example port scan ------------------ In order to audit your firewall and firewall rulebase successfully you will need a good port scanner. everyone has their favorite scanner but for this example i will be using nmap. The scan shown below will scan all 65,000 possible ports. this scan takes a long time, but it is very thorough. #nmap -v -g53 -sS -sR -P0 -O -pl-65000-o nmap.out victim Starting nmap V. 2.52 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Initiating SYN half-open stealth scan against victim (110.13.3.160) The SYN scan took 4086 seconds to scan 65000 ports. Initiating RPC scan against victim (110.13.3.160) The RPC scan took 2 seconds to scan 65000 ports. For OSScan assuming that port 21 is open and port 22 is closed and neither are firewalled. Interesting ports on victim6 (110.13.3.160): (The 64985 ports scanned but not shown below are in state: filtered) Port State Service (RPC) 21/tcp open ftp 23/tcp closed telnet 25/tcp closed smtp 53/tcp closed domain 80/tcp open http 111/tcp closed sunrpc 443/tcp open https 512/tcp closed exec 513/tcp closed login 514/tcp closed shell this scan shows that 10 packets were able to pass through the firewall. you would now take this information and compare it to your firewall rulebase. one option you might want to try with nmap is -sA which is designed to test firewall rulebases. the scan shown above works great for TCP, but it doesn't work for UDP. UDP scanning works by sending a UDP packet. if the UDP port is not open, an ICMP port unreachable error is sent back to the remote system. this lets you now that the port is not open. this is all great info but what we really want to know is not if the port is open, but if it is filtered. in order to find out if your firewall is filtering UDP packets you must use two systems, one scanning through your firewall, and one on the inside sniffing all incoming UDP traffic. now you will be able to see which UDP packets are not filtered at the firewall. so go test your fucking firewall. it will help you sleep better.