        ĳ
                                +-+-+-+-+-+-+-+-+
         ۲|O|u|t|b|r|e|a|k|𰰰
                                +-+-+-+-+-+-+-+-+
                             Issue #3 - Page 3 of 12 
        ĳ 



 		         --=How To Audit Your Firewall=--

                                   -by `Enigma-



one of the most important things in having a secure network is a properly
configured firewall. in the following paragraphs i will show you how to audit
your firewall and firewall rulebase.

auditing a firewall setup is a two step process. first you will want to test
the firewall itself. then you need to test the rulebase, what kind of traffic
do you want to allow to pass through your firewall.

to audit your firewall you want to make sure it is secure. this means that no
one can access or modify your firewall. first it must be secured physically
with controlled access. if someone gains physical access to your firewall you are
fucked. next you will want to make sure the operating system you use is fully
hardened. scanning your firewall is the next step. run scans from your internal
network and the internet, scanning for ICMP, UDP and TCP. ideally you don't
want any ports open.

a properly configured firewall should have few service to start with. once the
firewall is up and running, no ports should be shown unless they absolutely
have to. many firewalls leave ICMP open by default, this should really be
disabled. if ICMP is open your network can be easily mapped from the internet.
if you must have a port or service running, then you can set up a rule that
limits what source ips can connect to them. the idea in securing a firewall is
to deny access whenever possible. every rulebase should have a lockdown rule at
the beginning that denies any traffic to the firewall. that way your firewall
is closed off from the world. if you need access to the firewall have the rule
go before the lockdown rule. all other rules should go after the lockdown rule.
                                                                               
Once you have audited your firewall you will now want to check the rulebase. we
do this by scanning every network segment from every other network segment to
see what packets can and cannot get through the firewall. you must make sure
that the firewall is only accepting traffic you allow. the only way to check
this is with a system outside your firewall. that way you can determine what
packets can and can't get though. you must remember that your firewall rulebase
should deny everything, allowing only that which is specifically allowed.

------------------
example port scan
------------------

In order to audit your firewall and firewall rulebase successfully you will
need a good port scanner. everyone has their favorite scanner but for this
example i will be using nmap. The scan shown below will scan all 65,000
possible ports. this scan takes a long time, but it is very thorough.

 #nmap -v -g53 -sS -sR -P0 -O -pl-65000-o nmap.out victim

 Starting nmap V. 2.52 by fyodor@insecure.org ( www.insecure.org/nmap/ )
 Initiating SYN half-open stealth scan against victim (110.13.3.160)
 The SYN scan took 4086 seconds to scan 65000 ports.
 Initiating RPC scan against victim (110.13.3.160)
 The RPC scan took 2 seconds to scan 65000 ports.
 For OSScan assuming that port 21 is open and port 22 is closed and neither are
 firewalled. Interesting ports on victim6 (110.13.3.160):
 (The 64985 ports scanned but not shown below are in state: filtered)
 Port       State       Service (RPC)
 21/tcp     open        ftp
 23/tcp     closed      telnet
 25/tcp     closed      smtp
 53/tcp     closed      domain
 80/tcp     open        http
 111/tcp    closed      sunrpc
 443/tcp    open        https
 512/tcp    closed      exec
 513/tcp    closed      login
 514/tcp    closed      shell


this scan shows that 10 packets were able to pass through the firewall. you
would now take this information and compare it to your firewall rulebase. one
option you might want to try with nmap is -sA which is designed to test
firewall rulebases.

the scan shown above works great for TCP, but it doesn't work for UDP. UDP
scanning works by sending a UDP packet. if the UDP port is not open, an ICMP
port unreachable error is sent back to the remote system. this lets you now
that the port is not open. this is all great info but what we really want to
know is not if the port is open, but if it is filtered. in order to find out if
your firewall is filtering UDP packets you must use two systems, one scanning
through your firewall, and one on the inside sniffing all incoming UDP traffic.
now you will be able to see which UDP packets are not filtered at the firewall.

so go test your fucking firewall. it will help you sleep better.
                                                        
                                   