Softpanorama (slightly skeptical) Open Source Software Educational Society

May the source be with you, but remember the KISS principle ;-)

Firewalls and Firewall Rules Auditing

Notes: Those pages are written by people for whom English is not a native language. Some amount of grammar and spelling errors should be expected. This is a Spartan WHYFF (We Help You For Free) site. It cannot replace the best teachers and the best books. The site contain some obsolete pages as it develops like a living tree... Some links on older pages are broken. Please try to use Google, Open directory, etc. to find a replacement link (see HOWTO search the WEB for details). We would appreciate if you can mail us a correct link. Search Amazon by keywords:     Open directory Research Index

Old News ;-)

[Sep 25th 2006] freshmeat.net Project details for ferm by Max Kellermann

About: ferm is a tool to maintain and setup complicated firewall rules. It allows one to reduce the tedious task of carefully inserting rules and chains, thus enabling the firewall administrator to spend more time on developing good rules, and less time on the proper implementation of those rules. These rules will be executed by the preferred kernel interface, such as ipchains and iptables, and in one pass. Firewall rules can also be split into different files and loaded at will.

Changes: Support for more netfilter modules. A "remote" mode has been added. All tables are reset correctly in "flush" mode.

psdomain.org Firewall Rule Base Best Practices

This is the companion page for my Firewall Rule Base Best Practices document.  I have listed all the resources I would otherwise have put at the bottom of the document.  In this way, I hope to keep them current, and to add new material when I find it without having to revise the original document.  If I have written it correctly, it should need little revision as time passes and technology changes.  We'll see.

Update 2003-01-27

When I started this document over three years ago, I was an InfoSec consultant working with firewalls on a day-to-day basis. As will be obvious from a look at the revision history at the bottom of this document, I have not found a great deal of time to devote to it. In addition I have since moved on, and I do not work with firewalls much in my current role.

I have been surprised at the number of requests that I get for this draft, and I apologize to all those who I've kept waiting though my lack of time. Thus, I am making this draft directly available on the Internet in the hope that it will be useful. I disclaim any and all liability-use it at your own risk.

If you would like to take over the maintenance of this document, let me know.

Recommended Links

Google Directory - Computers Security Firewalls Products Personal Firewalls

Firewall Rule Base Best Practices.doc (last updated 2003-12-31)

12 Tips on Building Firewalls by D. Brent Chapman, Elizabeth D. Zwicky, Simon Cooper 07/01/2000

CERT Security Improvement Modules (Best Practices and Implementation)

Microsoft Security Best Practices

CERT: Deploying Firewalls

Microsoft Security Tools and Checklists

Firewall Piercing mini-HOWTO

ACK Tunnel through a Firewall

OpenHack: Lessons Learned

Keeping Your Site Comfortably Secure: An Introduction to Internet Firewalls

Internet Firewalls FAQ

Commercial Firewalls

Books and other references for Internet Firewalls

Internet Firewall Essentials

CSI Firewall Archives

Security Related Port List

• See also: Port Databases

What Firewalls will look like in the year 2003

Slashdot Using Firewalls to Block Spyware

firewall should be configured to deny everything and only allow through what is needed. Only open ports that you need to open. Stuff like pop-ups that run on port 80 (which you need to open for at least your squid proxy) are a different matter As for blocking pop-ups and stuff like that, those are best done on the proxy server. On my proxy, I block all ad related sites (doubleclick, etc) and it is real easy to do with squid. The downside is that on some sites (like cnn) you get java errors on some of their java code. Just tell the users to say "no" to the "do you want to execute more java code from this page" and it is fine. That is the configuration I use and it works fine.

3Com upgrades Firewall Cards

By John Leyden, The Register Oct 8 2002 11:37AM

3Com has launched a rack of new embedded Firewall Cards. The range includes a new 3Com Firewall PC Card, as well as a revamp of existing Firewall Desktop PCI Cards, 3Com Firewall Server PCI Cards and 3Com Embedded Firewall Policy Server.

Designed to secure vulnerable notebooks and remote PCs, the products provide hardware firewall protection with built-in 10/100 LAN connectivity. It's a way of defending in depth against attacks using a hardware approach that is faster, more secure and, in theory, easier to manage than software firewalls (which are possibly more flexible).

Such an approach is good news for sysadmins, but much less palatable for workers downloading MP3s from work. Those potentially risky UDP ports are almost sure to be blocked with 3Com's products.

Building on 3Com's first Embedded Firewall products, launched last February, the new Firewall Cards enable network managers to extend Embedded Firewall protection to remote users connecting to the corporate network via a VPN broadband connection. The newly announced enhanced security products also automatically detect if a user is connecting from inside or outside the LAN's physical perimeter and applies the appropriate security policies for that location.

The products (which use firewall technology from Secure Computing) aim to frustrate unauthorised actions by both external, and internal, ne'er do wells.

3Com is targeting the most security-sensitive market segments with the products: government, finance, healthcare, and education (an odd one this as budgets are tight in schools and Unis and security policies tend to be less strictly enforced).

Prices for the 3Com Embedded Firewall Policy Server start at $199 (for 10 clients). Firewall PC Cards cost form $219 each or $3,999 for 20. The Firewall Desktop PCI Card with 10/100 LAN costs from $179, with discounts for bulk purchases.
 

Firewall Server PCI Card with 10/100 LAN will set you back $329 each, again with bulk discount.

3Com Embedded Firewall Solution has been approved for export worldwide, subject to standard export restrictions

Securing Systems with Host-Based Firewalls - Implemented With SunScreen[tm] Lite 3.1 Software  -by Martin Englund
This article provides a discussion of why host-based firewalls can be an effective alternative to choke-point based firewalls or an additional layer of security in an environment. Details are then provided on how to implement a host-based firewalls using Sun's free host-based firewall software - SunScreen[tm] SecureNet Lite

***+ Root Prompt -- Auditing Your Firewall Setup by Lance Spitzner [Apr. 10, 2000]

You've just finished implementing your new, shiny firewall.  Or perhaps you've just inherited several new firewalls with the company merger.  Either way, you are probably curious as to whether or not they are implemented properly.  Will your firewalls keep the barbarians out there at bay?  Does it meet your expectations?  This paper will help you find out.  Here you will find a guide on how to audit  your firewall and your firewall rulebase.  Examples provided here are based on Check Point FireWall-1, but should apply to most firewalls.

Where to Start

This paper can help you in one of two situations.  First, you have certain expectations of what your firewall can or cannot do and you want to validate those expectations.  Second, you do not know what to expect, so you need to audit your firewall to learn more.  Either way, this paper can hopefully help you out.  We are not going to cover how to audit or  "hack" a network, that is a different subject.  Also, we are not going to discuss which firewall is better then others, each firewall has its own advantages and disadvantages.  What is going to make or break you is not choosing the "best" firewall, but implementing it correctly.  That is the purpose of this paper, making sure our firewall is correctly implemented and behaves as we expected it.

SecurityFocus unix infocus archive fwrules index

USENIX ;login July '00 - firewalls at home

Firewalls have traditionally been pretty scary things — devices that sat in protected areas in the computer room, maintained through High Wizardry, protecting the Company Network from All Evils. However, as we have seen with the DDoS attacks earlier this year, computer security is not something that should be limited to large companies with big, fat pipes coming off the Net. Neither is computer security something that is being done solely to protect the company network from what's happening outside. Not a great many people are aware that nowadays the Internet as a whole can be in trouble when a single system, yours, is compromised. With tools like Tribal Floodnet, TFN2K, and Stacheldraht, your system is not the one that is hurt the most when it is compromised. Your system could be used to participate in the next round of DDoS attacks that hits the news, or it could be used to send out spam.

A big change is happening right now: it's no longer just companies or universities that have fast enough permanent connections to be of interest to the average script kiddie out there. With cable modems and ADSL lines being installed in huge numbers, there's lots of bandwidth connected to unprotected systems. People at home never had to think about this kind of thing before. They are not aware that they are the next big target for script kiddies. The number of systems that can be compromised easily is exploding. And can the home user really be blamed? I don't think so. What's special about an average family with kids in high school owning more than one computer in the home, and connecting them together in a small network to share a hard disk or a printer? Nothing really, but unless they take specific action to prevent it, those drive shares will be accessed from across the planet. Any sysadmin who has installed snort¹ on his firewall can testify that Windows shares are the most often scanned for "vulnerability."

ZDNet Story Sneak Peek ZoneAlarm 3--an even better personal firewall

This week Zone Labs announced the 3.0 versions of its wildly popular personal firewall and security products, ZoneAlarm and ZoneAlarm Pro. Key improvements include a beefed-up firewall, support for Windows XP, a much-improved user interface, and more help for users who want to understand the alerts the software presents to them.

The beta software I tested was still a work in progress and won't be released for a month or so. But the company announced the new version ahead of time, because it wanted customers to understand that XP support and other requested improvements are on the way. It also seemed to feel some competition from the Nortons of the world, recently out with their 2002 releases. I'd rather have seen the software announced when it was ready for download, but I didn't get a vote.

STILL, IT'S HARD to get upset with a company as aggressively user-friendly as Zone Labs. After building what most reviews and user comments I've seen say is a top-notch security product, the company chose a radical marketing plan: They give the software away.

Personal users (that's you and me) and non-profits (but not government or schools) can use ZoneAlarm absolutely free. Business customers pay $19.95 and those wanting some additional networking features can upgrade to the Pro version for $39.95.

The company previously sold annual subscriptions. When the subscription expired, so did the software. Now, once you install it, the application runs in perpetuity. Pricing for the new version will be announced at release, but the free version is a permanent fixture.

All the most important features are included in the free version. These are a "stealth" firewall, which makes your computer invisible to outsiders, and application control, which protects against e-mail worms and other malicious code that gets onto your machine.

THE 3.0 VERSION includes an easier-to-understand "home page"-based user interface, and does a better job of explaining the individual alerts presented to the user, including a "more info" button that links to the company's Web site for detailed explanations and technical information.

The new release also hardens the firewall. One feature "fingerprints" programs that access the Internet, as well as individual program files, to ensure a trusted application cannot be corrupted by a rogue DLL installed onto the machine.

But for all the program does--which is a lot--ZoneAlarm is not antivirus software, and Zone recommends that users install their favorite program to protect against infections. Though ZoneAlarm does protect against many of the effects of computer viruses and can stop a computer from becoming infected in the first place, it is specifically not a virus cure.

The 3.0 Pro version includes privacy protection, cookie control, and enhanced network support. There is also a new, threshold-based ad-blocker that deserves some discussion.

WHILE I DON'T LIKE ad blockers--being that they threaten my livelihood--this one makes some sense, because it blocks ads only when they take too long to download. This is especially handy if you're dialing into the Internet on a relatively slow connection. It also supports blocking pop-ups and pop-unders, which I fully endorse.

While a personal user doesn't absolutely require the Pro features, many individual users like the free version so much they upgrade anyway, as a means of supporting a software company they like. Paying corporations are also well-represented among Zone Labs' estimated 15 million users, including EDS, which recently site-licensed 125,000 copies for its employees.

Last time I checked, ZDNet users had downloaded nearly 14 million copies of ZoneAlarm, and I'm sure the new version will only add to its popularity. And while the new version won't be out until sometime around Comdex Fall time frame in mid-November, there's no reason not to download the current release and upgrade when the new one appears.

After all, the price is certainly right.

Aladdin Security  content filtering, Virus and Vandal protection

• Documents

PGP Security - Protecting Your Privacy - A Network Associates Company

Personal Firewall Protection and Intrusion Detection

Now remote and distributed users can benefit from the security of an "Enterprise Ready" distributed firewall. The PGP Distributed Firewall is the first product to bundle a fully configurable "Packet-Filtering" firewall with Personal Intrusion Detection in a single, installable package that is managed remotely using "Enterprise Ready" software from PGP Security. This not only gives you the ability to create silent installs, but also allows you to remotely change firewall/IDS policies, and lock them down from the end-user.

PGPfire checks data entering and leaving your computer based on filtering rules, protecting you from attacks that originate from within and outside the corporate network. PGPfire offers pre-set levels of protection and lets you define your own protection rules. If an intrusion is detected, it records the event, the source address and the time it occurred, and alerts.

Features and Benefits:

Stop hackers and Trojan horses

Personal Intrusion Detection keeps hackers and Trojan horses out

Ability to securely retrieve new policies from LDAP server unmatched scalable corporate management

Ability to build deployment packages with policy configuration pre defined unmatched scalable corporate management

Alerts in case of attack or if system is compromised Remote system integrity monitoring

Norton Internet Security 2000 2.0 Win98-2K-NT4 - Software Reviews - CNET.com Thanks to its built-in firewall, Internet Security 2000 is the most secure all-in-one Net security app we've seen and the perfect choice for anyone with an always-on connection. Costs more than McAfee Internet Guard Dog 3.0.

CNET Review
By Gregg Keizer
(05/03/00)
URL: http://software.cnet.com/software/0-352110-1204-1782503.html
 

Norton Internet Security 2000 has a leg up on the competition. At a list price of $59, it's more expensive than McAfee Internet Guard Dog. But although it comes with many of the same security tools (such as Web site filters) as its competitor, only Internet Security builds a personal firewall, a barrier that protects your PC from hackers. Internet Security handles all security chores and guards your back door, so this package is ideal protection, especially for cable and DSL users.

Easy Setup
Even beginners can set up Internet Security 2000 in no time. Its control display is well organized, with easy-to-understand sliders for setting security and privacy options. Internet Security asks for the personal information you want to keep secure after you've installed the program so that it's clear why you need to hand over such personal data.

Bar the Back Door
But Internet Security's finest feature is its automatic firewall. This makes your PC invisible and unreachable to hackers who may try to connect to your machine without your knowledge. You can even set the strength of the firewall to strike a balance between intrusiveness and thoroughness; at higher settings, legitimate Internet activities might be blocked. Without a firewall, heavy Net users, especially those with an always-on DSL or cable connection, take a risk that rampaging hackers will gain access to or hijack the PC for their own underhanded purposes.

And Internet Security also gives you complete control over the rest of its Net filters, including the data that leaves your system and what is allowed through the firewall. You can, for instance, set the security level to allow or disallow Java applets and ActiveX Controls. If you selectively keep them out, Web sites can't send code that could damage your PC. Plus, you get to specify which private info, such as credit card numbers and email addresses, Internet Security shouldn't transmit out. Internet Security lets you finesse protection site-by-site by using its Advanced Options dialog box so that you can choose different security settings for different Web sites--nice flexibility.

Does More Than the Dog
Like Guard Dog, Internet Security blocks banner ads (with limited success), keeps kids away from specified Net activities (access to chat programs, for instance), and lets you create multiple accounts to protect different members of your household at different levels. But Internet Security offers unique features, including an option to disable secure server access so that kids can't shop online and an online updater that keeps Internet Security informed about malevolent Java applets, viruses, and ActiveX Controls, as well as new hacker tactics.

Safe and Secure
Internet Security 2000's comprehensive protection costs $20 more than Guard Dog, but the additional security is well worth the money, especially if you connect to the Net via DSL or a cable modem. But even if you dial in, this package is useful if you spend a lot of time online.

---

Downloadable version: Click here

Zone Labs ZoneAlarm 2.1 Win9X-NT4-2K - Software Reviews - CNET.com

ZoneAlarm is easy to install, and its default settings protect your system at two levels: medium, for local traffic, and high, for Internet traffic (which blocks all Internet traffic until you say otherwise). This means that whenever an application on your PC tries to access the Internet, ZoneAlarm asks you whether to allow it. However, when you customize ZoneAlarm, it becomes even more powerful. ZoneAlarm lets you grant apps such as Internet Explorer and Outlook permanent access to the Web.

What's more, ZoneAlarm displays a little toolbar at the top of the screen that monitors network activity. The toolbar has intelligent status indicators that tell you whether the program is locked (blocked from the Internet) or open and icons that indicate which applications are currently accessing the Net.

Lots of Extras
Other cool features include an emergency Stop button, which immediately halts all Net traffic if, for example, an unauthorized application is sending data out. There's also an automatic Lock, which stops Internet access whenever your screensaver activates or after a prespecified period of inactivity (this ensures that no one can hack your PC while you're away). Even better, ZoneAlarm offers an idle-port-blocking feature, which automatically closes ports when applications no longer need to communicate, blocking unauthorized access. Also, in our Labs tests, ZoneAlarm was the only firewall that completely hid all the ports on our computer.

Curing the Love Bug

Another big bonus: although ZoneAlarm is not an antivirus app, it does sport the MailSafe feature, which isolates all incoming Visual Basic scripts, such as the Love Bug virus, until you decide what to do with them. ZoneAlarm also automatically updates itself over the Web, making sure it protects your computer against the latest threats.

With its straight-out-of-the-box protection, unsurpassed features, and free distribution to home users, ZoneAlarm is our hands-down firewall champion.

Surprisingly, the most secure of the three firewalls we tested was also the cheapest. A 1.6MB download from FileWorld, Zone Labs' ZoneAlarm firewall and updates are free for individual users and cost $19.95 annually for business users.

This firewall was the easiest of the three to install on our test PC, requiring the fewest steps to get up and running. Two sliders let you independently select a range of security settings for local and Internet connections. With ZoneAlarm's sliders set to the default of high security for Internet applications and medium security for local network applications, we went back to Shields Up, where we earned a "very secure" rating. The site could read no information about the PC; some of the PC's ports were visible but closed. When we returned to the site and tested ZoneAlarm's highest security setting, our PC was in full stealth mode--no ports were detected.

You might expect a free, powerful firewall to be difficult to use. ZoneAlarm is quite the opposite: You can easily adjust the security level with sliders for both local network and Internet access. If you click the Advanced button, you can access network settings. Though you won't get a manual or CD-ROM instructions with ZoneAlarm, we found it easy to set up without help. A nice touch in this latest version of ZoneAlarm is that it contains a MailSafe feature that claims to protect your system from viruses written in Visual Basic Script, such as "ILove You." (We didn't test this feature.)

Bottom line: ZoneAlarm is the most secure of the three firewalls we tested--and you can't beat the price.

All three programs made our test machine safer. Both McAfee Firewall and Norton Personal Firewall 2000 provided solid protection and myriad advanced features--but we preferred the excellent (and free) Zone Alarm.

www.firetower.com -- useful site

O'Reilly Network Linux for Security Applications

A Linux firewall is a regular Linux machine, to which all available security patches and updates have been applied and from which all unnecessary services have been removed. Unnecessary services include:

• C/C++, Java, and other development tools
• NFS and other end-user servers and services
• End-user accounts
• Server processes such as 99% of the items listed in /etc/inetd.conf

This point cannot be emphasized enough -- firewalls must be systems whose software is known to be working properly where all known security risks and exposures have been eliminated. This is the hardest part of any security administrator's job -- making sure you're up to date with the latest security advisories from CERT, the Computer Emergency Response Team, and the other information security monitoring groups. Most people get into trouble because they fail to monitor or, more often, fail to act on a known security vulnerability.

The crux of the biscuit: packet filtering

Packet filtering is the process by which packets coming from a network to which the firewall is attached are examined to determine how they should be handled.

There are several packet filtering systems available for Linux, but the most commonly used is a package called IP Chains, which is based on a novel, if not arcane, system for specifying how packets can be allowed through the firewall.

The goal of packet filtering is to examine each and every packet that could transit the firewall to ensure that it meets the rules set down by the administrators. The IP Chains system sets up a series of filters that examine a packet to determine what should be done with it; if one filter decided that the packet isn't a type that it handles, it passes it on to the next filter in the chain until the packet is either passed to the inside (protected) network, or it falls off the end of the filter chain and is rejected or dropped.

In the simplest scenario, the firewall has to make sure that the packet is coming from an authorized host on an authorized network and going to an authorized host on an authorized network.

Other checks might include making sure that only selected protocols (such as XWindow, FTP, or Telnet) are allowed to pass though the firewall, or, at a deeper level still, the content of the packets might be examined to ensure that they contain the kind of data they say they do and that someone isn't playing games with tunneling, say, X Window sessions over a Telnet session.

The bottom line with regard to creating a firewall system, whether using Linux as a base or any other operating system, is to make sure that the policies that define what can pass through the box are clearly thought out and consistently applied and that the system is not just set up and never looked at again.

ZDNet Sm@rt Partner - Hackers Breach Firewall-1

While Checkpoint issues service pack to address vulnerabilities, hackers warn against placing too much faith in firewalls.

By David Raikow, Sm@rt Partner

An audience of several hundred network security professionals watched with rapt attention last week as a trio of hackers repeatedly penetrated one of the industry's most trusted and popular firewall products--Checkpoint Software's Firewall-1. The demonstration, presented at the "Black Hat" security conference in Las Vegas, challenged the widely accepted notion that firewalls are largely immune to direct attack.

The panel--John McDonald and Thomas Lopatic of German security firm Data Protect GmbH and Dug Song of the University of Michigan--identified three general categories of firewall attacks. They began by demonstrating a number of relatively simple techniques by which an attacker could impersonate an authorized administrator, and thus gain access to the firewall application itself. A second type of attack tricked the firewall into believing an unauthorized Internet connection was actually an authorized virtual private network connection. Finally, the panel exploited a number of errors in the process used to examine traffic passing through the firewall to sneak in dangerous commands.

While their presentation focussed on a single commercial firewall product, panel members repeatedly emphasized that most firewalls are vulnerable to the types of attacks demonstrated. "The problem is not just with [Firewall-1]," said Song. "The real problem is the blind trust most people place in their firewalls."

Greg Smith, Checkpoint's director of product marketing for Firewall-1, pointed out that many of the attacks demonstrated relied on improper firewall configuration, and he asserted that they presented little practical threat. "Not a single customer has reported a problem with any of these issues."

Nevertheless, Checkpoint worked with McDonald, Lopatic and Song in developing defenses against the attacks, which they released as part of Firewall-1 Service Pack 2 immediately following the demonstration. Checkpoint emphasized that the service pack should prevent all of the attacks discussed, even those dependant on misconfiguration.

The panel also recommended a number of additional steps for "hardening" firewalls, including use of strong authentication protocols, "anti-spoofing" mechanisms and highly restrictive access rules. At the same time, they called on the IT community to abandon the "single firewall" model of network security and implement multiple lines of defense.

However, one observer of the session, employed by a network switch manufacturer, thinks Checkpoint lost some credibility over its products. "Some of the exploited areas were because of dumb programming mistakes in the code for the firewall itself. If the [firewall] programmers can't get it right, what other problems may still be lurking?" he pondered.

BSD Today Running a BSD-based Firewall

Commercial Firewalls vs. Open Source Firewalls

The first bridge that we had to cross was getting people to accept an open source firewall package. Everyone knows and trusts products like Checkpoint and Cisco's Pix firewall. A firewall is a key part of the security infrastructure. It is a stretch to ask management to trust a product, they may have never heard of, for such an important part of the network.

When you buy a commercial firewall product, you are not buying a better quality product, but only paying for a name. That name gives your management and you confidence that there is a strong, solid company behind your firewall. With an open source firewall, you do not get that name. However, you do get the equivalent credibility through the very nature of open source. Anyone that uses it will be more than happy to tell you the good and the bad that they have gone through with the product.

The other bonus is that open source firewalls are usually written by people that are using the product themselves. This gives them every incentive in the world of making it work right. Plus, with the open source model you can influence the direction of the program. Darren Reed of IP Filter has impressed me many times over with his openness to add features that users have asked for. You do not find that with a bigger commercial company.

Our Firewall product

I am a BSD guy. That is the platform I know best. With that in mind, there are two popular free firewalls we could pick from: IP Filter and IP Firewall. IP Firewall is a fine product that I have used in the past with success, but at the time it could not keep state. A stateful firewall was a requirement for this particular project, so we decided to go with IP Filter (http://coombs.anu.edu.au/~avalon/).

There is a bit of a religious war about stateful vs. non-stateful (packet filter) firewalls. Don't take my word for which is better. Look through the book referenced above to see which would work best for you. I prefer to stay with a stateful firewall, because it allows me to only allow the initial Syn packet through. Then the firewall will allow the rest of that TCP session through. This prevents things like stealth scans from getting through your network.

IP Filter is a nice, small, and efficient firewall that comes with the base OS of FreeBSD, OpenBSD, and NetBSD. It also runs on Solaris, SunOS, BSD/OS, Irix, and HP/UX. The cross platform nature of the product was a big feather in its cap. It would allow us to go with one Unix today, switch to a different Unix in the future, and still keep the same firewall product. The next question was: What platform are we going to run this product on?

Testing

After the firewall is installed and the rules are written, the most important thing is testing. You cannot setup a firewall, throw it on the network and assume it works.

Testing the NAT (Network Address Translation) is very easy. Simply plug a machine on the internal interface and see if it works. SSH into a box on a remote network, do a "who" and see what IP it says you are coming from. Really, NAT is kind of nice in the regard that it either works or does not.

The firewall, however, is a different story. There is really no right way of testing it. What we did was go through the rule set and double check all the rules. After that, from a remote network we ran Nessus (http://www.nessus.org/), Nmap (http://www.insecure.org/nmap/index.html) and Saint (http://www.wwdsi.com/saint/) against our public IP range. You may have some different preferred tools to use for this purpose. The key is to be creative. Try what you would do if you were trying to break into that network. Use the tools that crackers trying to break in would use.

[Apr. 10, 2000] Root Prompt -- Auditing Your Firewall Setup by Lance Spitzner

You've just finished implementing your new, shiny firewall.  Or perhaps you've just inherited several new firewalls with the company merger.  Either way, you are probably curious as to whether or not they are implemented properly.  Will your firewalls keep the barbarians out there at bay?  Does it meet your expectations?  This paper will help you find out.  Here you will find a guide on how to audit  your firewall and your firewall rulebase.  Examples provided here are based on Check Point FireWall-1, but should apply to most firewalls.

Where to Start

This paper can help you in one of two situations.  First, you have certain expectations of what your firewall can or cannot do and you want to validate those expectations.  Second, you do not know what to expect, so you need to audit your firewall to learn more.  Either way, this paper can hopefully help you out.  We are not going to cover how to audit or  "hack" a network, that is a different subject.  Also, we are not going to discuss which firewall is better then others, each firewall has its own advantages and disadvantages.  What is going to make or break you is not choosing the "best" firewall, but implementing it correctly.  That is the purpose of this paper, making sure our firewall is correctly implemented and behaves as we expected it.

• ipsend allows sending of many types of IP packets for network/security testing
• arnudp.c sends a single udp datagram with the source/destination address/port set to whatever you want. In particular, this illustrates a danger of having UDP echo service turned on in /etc/inetd.conf on many versions of UNIX. Consider the result if source address and port are set to localhost and 7 respectively - the inetd in FreeBSD 2.2 seems to detect this denial of service attack, but many UNIX variants do not
• T.I.S. has a free firewall toolkit that can serve as a component of a firewall. Some other firewall toolkit related information:
  • An unofficial SSL proxy for the T.I.S. firewall toolkit is available from ftp://edelweb.fr/pub/contrib/fwtk . This is a simple proxy supporting the CONNECT method. This proxy has no awareness of the underlying protocol, so care should probably be taken in restricting the ports to which it can connect.
  • Answers to questions and fixes for problems
  • A patch to http-gw to enable blocking of Java applets and Javascript scripts
• An MBone Proxy for an Application Gateway Firewall
• Some information on and implementations of SKIP - IP level cryptography and key management
  • SKIP page @ Sun Internet Commerce Group
  • ENskip a free SKIP implementation for Linux and Solaris
• IP Filter is a TCP/IP packet filter and NAT for Solaris, SunOS, NetBSD, FreeBSD, BSDI
• Filter Language Compiler generates filter rules for various packages including IP Filter and Cisco routers

gfcc GTK+ Firwall Control Center

gfcc (GTK+ Firewall Control Center) is a GTK+ application which can control Linux
firewall policies and rules, based on ipchains package.

Changes: This is a bugfix release.

Urgency: medium

Thanks very much to all who responded regarding low-cost firewalls for
Solaris. Below please find a summary of the responses, for your
reference.

SonicWall by Sonic Systems http://www.sonicsys.com/products.html

SonicWall is a hardware solution which provides all of the basic functionality, plus some added features. SonicWall is inexpensive at $495 for 10 IP addresses and basic functionality, and $1,495 for unlimited addresses with additional features.

Recommended Links

www.firetower.com -- useful site

http://www.clark.net/pub/mjr/pubs/fwfaq/ Firewall FAQ

http://cheops.anu.edu.au/~avalon/ip-filter.html IP filter offers filtering via IP, port, protocol/service, NAT, logging, etc and it can be installed on an non-dedicated server.

http://www.waterw.com/~manowar/vendor.html List of Firewall Products and Vendors:

http://www.icsa.net/services/consortia/firewalls/certification.shtml Information on ICSA certification for Firewall products:

www.tis.com Trusted Information Systmes (TIS) has developed two products: the Firewall Toolkit (FWTK), and the Gauntlet Firewall. The Firewall Toolkit is freeware, more information can be found at http://www.fwtk.org. Gauntlet is a commercial product, with a price range of
$5,000-$17,500. More information can be found at www.tis.com.

www.ascend.com Ascend offers a product called Secure Access Firewall. I was not able to find a price on their web-site.

Firewall Auditing and Testing

[Apr. 10, 2000] Root Prompt -- Auditing Your Firewall Setup by Lance Spitzner

You've just finished implementing your new, shiny firewall.  Or perhaps you've just inherited several new firewalls with the company merger.  Either way, you are probably curious as to whether or not they are implemented properly.  Will your firewalls keep the barbarians out there at bay?  Does it meet your expectations?  This paper will help you find out.  Here you will find a guide on how to audit  your firewall and your firewall rulebase.  Examples provided here are based on Check Point FireWall-1, but should apply to most firewalls.

Where to Start

This paper can help you in one of two situations.  First, you have certain expectations of what your firewall can or cannot do and you want to validate those expectations.  Second, you do not know what to expect, so you need to audit your firewall to learn more.  Either way, this paper can hopefully help you out.  We are not going to cover how to audit or  "hack" a network, that is a different subject.  Also, we are not going to discuss which firewall is better then others, each firewall has its own advantages and disadvantages.  What is going to make or break you is not choosing the "best" firewall, but implementing it correctly.  That is the purpose of this paper, making sure our firewall is correctly implemented and behaves as we expected it.

Intrusion Detection for Check Point FireWall-1

How to implement intrusion detection for Checkpoint Firewall 1.  Also included is a downloadable script that does all IDS functionality for you.
 

Understanding the FireWall-1 State Table

This whitepaper covers how it FW-1 stateful inspection works, and how stateful it really is. Included is a PERL script that helps you read and understand your own FW-1 state table.  This paper is a work in progress.
 

Building Your Firewall Rulebase

Misconfigured firewalls are one of the biggest risks security admins face. This paper describes in a step-by-step fasion how to build a secure firewall rulebase.
 

Auditing Your Firewall Setup

How to audit your firewall setup.  The purpose of this paper is to help you verify your firewall is correctly implemented and behaves as you expect it.
 

FW-1 Troubleshooting Tips

 Advance Troubleshooting tips for CheckPoint FW-1. 

Logger for Checkpoint Firewall 1

Access database that queries Checkpoint Firewall 1 logs.

(May 4, 2001, 18:56 UTC) (1282 reads) (3 talkbacks) (Posted by mhall)
Laurent Constantin has written in with a complete guide to testing firewalls and routers using lcrzoex. There's plenty of detail here for the aspiring security maven.

Network scanning

If you are going to build a firewall, or if you already have one, a periodic inspection of what traffic is allowed through is a really good idea. It is said that information security is not a destination, but a journey. Just because you have bought (or built) a firewall doesn't mean that the job is done. Firewalls are like relationships; they need constant attention if they are going to work well.

One of the best way to test a firewall is to throw a lot of packets at it and see what the firewall accepts and rejects. There are several toolkits available that can perform this function. The best known of these is called SATAN for System Administrator's Tool for Analyzing Networks. It was written by Dan Farmer, a security consultant who now works for EarthLink Networks. SATAN allows an administrator to perform a series of port scanning operations against a firewall looking for vulnerabilities; it also has a built-in database of some well-known vulnerabilities that it can try to exploit.

A derivative work that takes most of its code-base from SATAN is SAINT (Security Administrator's Integrated Network Tool). SAINT updates some of SATAN's network scanning capabilities and is designed to work on Linux out of the box.

Another useful tool called NMAP can help you create a map of services on a given host or find all the hosts on a given network that support a given service. This can be very helpful in tracking down services that are not supposed to be running on machines on your network.

As I have stated before, tools such as network scanners are very powerful tools considered by most network managers to be very hostile if used on their networks without permission. Be careful how, if, when, and where you decide to experiment with them!

David HM Spector

Personal firewalls

freeware downloads Personal Firewalls - free software brought to you by WebAttack.com, the largest download site for Windows Internet tools.

ZDNet Personal Firewalls by Matthew P. Graven, PC Magazine January 3, 2001

While you browse the latest headlines or purchase a cashmere sweater on the Web, some hacker could be lurking in the background, stealing your credit card numbers or rifling through the data stored on your system. Simply put, your Internet connection is a wide-open path to your PC that anyone connected to the Web with malicious intent and technology skills can skulk down. Broadband connections, because they're always on, are most vulnerable, but dial-up access also carries risks.

The best solution may be a personal firewall, which is a security wall between your system and the Internet. These software-based solutions safeguard against hackers and, in some cases, keep Trojans and other unauthorized programs from secretly transferring personal information from your system over the Internet. They all run on Windows 95 and above and Windows NT 4.0 and above, and most support current versions of Microsoft Internet Explorer and Netscape Communicator.

Network Ice's Blackice Defender 2.1 (Company Info, www.networkice.com, $39.95 direct,  is a personal firewall that specializes in precise and detailed intrusion detection. It's so protective that even Internet Connection Sharing (ICS) -- Windows' protocol for allowing two or more systems to share an Internet connection -- is treated as an attack until you apply the clear-cut configuration changes specified on Network Ice's Web site. You choose a level of protection -- Trusting, Cautious, Nervous, or Paranoid -- and the program takes care of the rest. If it detects an attack, Blackice Defender can immediately lock out any further access by that particular IP address, trace and log the intrusion, and alert you to the incident.

Because some malicious code attempts to access your PC's ports, which are used for networking connections, Zone Labs' extremely easy-to-configure ZoneAlarm 2.1 (Company Info, www.zonelabs.com; free for personal use, $19.95 per year for businesses;) blocks all your ports. It also blocks NetBIOS security holes. For example, though NetBIOS intentionally allows networked systems to share files, this capability can inadvertently allow others to browse through your PC's contents.

ZoneAlarm also warns you when a program attempts to access the Internet; you can allow access always, block it always, or have ZoneAlarm ask each time.

ZoneAlarm Pro 1.0 ($39.95 per year) adds a number of features, including support for ICS and enhanced e-mail protection. A nice feature, ZoneAlarm's MailSafe renames executable e-mail attachments, so you can't accidentally launch them.

Also free for personal use, Aladdin Knowledge Systems' eSafe Desktop 2.2 (Company Info, www.ealaddin.com, concentrates on defending against malicious code in active content such as scripts, Java, and ActiveX controls. Known vandals such as the Back Orifice Trojan are blocked before they're even saved to disk. Other active content is quarantined in a "sandbox" that permits execution while protecting system resources against any potential invasive acts. The product's advanced configuration dialog is daunting in its complexity, but you may never need to use it except to enable the content filters, which are disabled by default.

Network Associates' McAfee Firewall 2.1 (Company Info, www.mcafee-at-home.com, $29 direct, analyzes network and Internet communication to and from your computer, so it can both prevent hackers from accessing your system and block unauthorized programs from calling out over the Net. When it detects an attempt to use the Internet, McAfee Firewall asks whether it should trust the program. Based on your answer, it will always allow or always deny that program access. McAfee Firewall fails in key areas. It requires Microsoft Internet Explorer 4.0 or later, doesn't support Internet Connection Sharing, and lacks full support for Windows 2000.

Network Associates' McAfee Internet Guard Dog 3.0 (Company Info, www.mcafee-at-home.com, $39 direct, is fanatical about protecting your private information. When any application attempts to send your specified personal information over the Net, whether through Web forms, e-mail, chat, or instant messaging, Guard Dog intercepts it. You can permit or block the application's use of your information, either always or on a case-by-case basis. On first launch, the program sets off a flurry of activity, confirming such things as whether your e-mail program is allowed to send out your e-mail address. This initial configuration, however, is accomplished fairly quickly.

Privacy settings are user specific: You can permit your own credit card numbers to be sent on the Web but not allow your children to send these numbers. Any attempted violations are logged. Among other actions, the unique Security Check feature scans your hard drive for files containing personal or financial information and adds them to the list of guarded files. Access to these files is blocked from all applications that aren't specifically approved. Guard Dog also deters programs from formatting your disks or reading your password files and stops attempts by ActiveX controls to delete or scan files.

Among its many other features are site blocking, secure password storage, cookie blocking, and a full copy of McAfee VirusScan. The Pro version ($49 direct) adds an integrated copy of McAfee Firewall. Guard Dog runs on Windows 9x and Windows Me.

Symantec Corp.'s Norton Personal Firewall 2001 (Company Info, www.symantec.com; $49.95 direct, is loaded with dozens of preset rules. Some are program specific, such as one that denies all access to the NetBus Trojan. Others apply systemwide, like a function that stops attempts to connect to drives through NetBIOS. If an unknown application attempts an Internet connection, a wizard leads you through the process of defining a new rule.

The Norton Privacy Control module lets you specify confidential information that should not be transmitted through Web forms. For instance, you can protect your credit card number against Internet Explorer's AutoComplete feature. This module does not filter information from being sent via chat, e-mail, or instant messenger.

Latest prices: Aladdin Knowledge Systems eSafe Desktop 2.2
Latest prices: McAfee Internet Guard Dog 3.0
Latest prices: Network ICE BlackICE Defender 2.1
Latest prices: Symantec Norton Personal Firewall 2001 2.5
Latest prices: Zone Labs ZoneAlarm 2.1.44
Latest prices: All Network - Communications Equipment
Latest prices: All Network Utilities
Latest prices: All Utilities

InternetNews - Intranet News -- Personal Firewalls Fail the Leak Test

In an attempt to show that personal firewalls may afford their users little protection against serious threats, a respected PC security expert has released a new software tool that pokes holes in many of the leading desktop security packages.

Security-conscious Internet users, especially those on broadband connections, have made desktop firewall software into a booming business for companies like Symantec and Network Associates. But according to Steve Gibson, president of Gibson Research, almost all of these utilities only provide "pseudo protection" against attacks. That's because they put most of their effort into blocking incoming hacker attacks, while paying only scant attention to what he calls internal extrusion.

"I really believe the problem of software in your computer misbehaving is much bigger than the problem of hacker attacks. Most people don't have any vulnerabilities; there's nothing a hacker can do to you. So I argue against the necessity of any kind of inbound blocking tool," said Gibson.

To prove his point, Gibson has developed a free utility called LeakTest. The 27-Kbytes program is a trojan-horse/spyware simulator that attempts to slip past a personal firewall's defenses and connect to a server on the Internet.

Not surprisingly, popular intrusion detection programs like BlackIce Defender from Network Ice fail to catch the outgoing connection and report it to the user. But more disturbingly, several firewalls that claim to offer outbound detection are also fooled by LeakTest. Among them, the best selling Norton Personal Firewall and McAfeeFirewall.

Both are among a small number of desktop firewall programs that attempt to address the problem of unauthorized outbound leakage, but Gibson says they fall short and can be easily fooled or bypassed because they come pre-programmed to allow some applications to pass through the firewall.

"This idea of allowing all these apps pre-approval is ludicrous. It's trivial to get permission out of the firewall without notifying the user," said Gibson, who observed that only one firewall, ZoneLab's ZoneAlarm, prevents malware from masquerading as a trusted program.

"They do a cryptographic signature of the programs you're allowing. That's not hard to do, but they're the only ones who do it," he said.

Tom Powledge, Symantec's product manager for Norton Internet Security, said the risks outlined by Gibson are low if users are running both a firewall and anti-virus software. And he said Symantec knows of no instances of programs that specifically target Norton Personal Firewall, which is shipped with NIS.

But in response to Gibson's critique, Symantec plans to revise the application integrity checking feature in NIS, with an update available to users over Live Update by early next week. In the meantime, Powledge said concerned users can turn off automatic firewall rule creation.

Judging by comments on the LeakTest message board at Gibson's site, plenty of users are concerned about the newly exposed porosity of their favorite firewall software. But Symantec's Powledge said their fears could have been avoided if Gibson had given vendors the customary advance notice before releasing LeakTest.

"We were seeing no concern about this, and no exploits have been written. And while this makes customers aware of a potential issue, it also makes hackers aware," said Powledge.

But Gibson, who had an earlier run-in with RealNetworks over the privacy behavior of its RealDownload product, said he's learned that unless pressure is brought to bear, companies are resistant to change.

"These firewalls are not going to get better unless there's someone saying and able to prove -- and to enable the user to prove -- that these things are junk."
 

Firewall-1

***+ Root Prompt -- Auditing Your Firewall Setup by Lance Spitzner [Apr. 10, 2000]

You've just finished implementing your new, shiny firewall.  Or perhaps you've just inherited several new firewalls with the company merger.  Either way, you are probably curious as to whether or not they are implemented properly.  Will your firewalls keep the barbarians out there at bay?  Does it meet your expectations?  This paper will help you find out.  Here you will find a guide on how to audit  your firewall and your firewall rulebase.  Examples provided here are based on Check Point FireWall-1, but should apply to most firewalls.

Where to Start

This paper can help you in one of two situations.  First, you have certain expectations of what your firewall can or cannot do and you want to validate those expectations.  Second, you do not know what to expect, so you need to audit your firewall to learn more.  Either way, this paper can hopefully help you out.  We are not going to cover how to audit or  "hack" a network, that is a different subject.  Also, we are not going to discuss which firewall is better then others, each firewall has its own advantages and disadvantages.  What is going to make or break you is not choosing the "best" firewall, but implementing it correctly.  That is the purpose of this paper, making sure our firewall is correctly implemented and behaves as we expected it.

SunScreen

Securing Systems with Host-Based Firewalls - Implemented With SunScreen[tm] Lite 3.1 Software
-by Martin Englund
This article provides a discussion of why host-based firewalls can be an effective alternative to choke-point based firewalls or an additional layer of security in an environment. Details are then provided on how to implement a host-based firewalls using Sun's free host-based firewall software - SunScreen[tm] SecureNet Lite

BlackIce

BlackICE Defender , a software review from WebAttack.com -- ...
... BlackICE Defender by Network ICE BlackICE Defender is a unique Network/Internet
security tool that combines a packet filtering personal firewall and an ...
www.webattack.com/reviews/blackice_rv.shtml - 21k - Cached - Similar pages

Zonealarm

Zonelabs is an awesome company with a great product. They also know how to do business. They don't lie to or try to shaft their customers, they support their product and they price it reasonably. It's too bad there are not more companies like them. Zone Alarm's splash screen can be disabled. In Windows Explorer, go to C:\Windows\All Users\Start Menu\Programs\StartUp and right-click on the ZoneAlarm shortcut. Select Properties. The Target command line will say something like, "C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe". Just add the switch " -nosplash" (without quotes) and it will no longer show a splash screen at startup. So that it looks like this: "C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe" -nosplash (i.e. put a space between the " and the hyphen)

If you've disabled the pop-up alert window from within the program, you'll see a -nopopup switch already present in the command line.

Win XP's firewall is weak at best (and then there's the TRUST issue), so don't pass up this terrific firewall program.

I'm currently a user of Zone Alarm 2, and really enjoy it's features. The noted feature of blocking popup-ads sounds like a winner in my book..

however, I was hoping to hear more on added protection against Firewall Evasion. You mentioned "finger-printing" to prevent infected applications from accessing the net, but that's just a bugfix from 2.0's existing feature which did that already, but it only checked the .exe

What Zone Alarm really needs is the ability to authorize which programs are allowed to access which sites. Programmers are already aware that a great number of average users are installing Zone Alarm, so they just find ways around the Firewall. Notably, if a program is meant to access the internet, say an FTP client, the user will give that program permission to act as a Server and Access The Internet. So the programmer simply anticipates this, waits for the user to use the program a few times, by then they trust it enough to add it to Zone Alarm, before finally phoning home with all sorts of evil-goodness. Zone Alarm needs to track which sites (not just by IP, but by DNS) the user allows the program to access, and deny all others.

Anyway, It's still a great tool. Perhaps not as secure as ConSeal or other firewalls out there, but definitely not as needy and troublesome either.

Roadrunner

E-Safe

Aladdin Security Portal software security, software protection, Internet security, content filtering, Virus and Vandal protection, license management, electronic software distribution

Last modified: February 28, 2008