Proxy 2.0 secure?

Kjell Wooding kwooding@codetalker.com
Thu, 25 Jun 1998 13:51:36 -0600


>I would like to see some extensive security testing against firewalls,
>similar to one that SNI made against IDSs. Is there something similar
>available on the net? [or at least close, just not "we used ISS against
>FW-1" tests...]

I would love to see (or do) some myself. I put a few of the major NT
firewalls through
some of this sort of testing when evaluating them for a client. Many of
them turned up oddities
that should be further investigated. (Cyberguard, for instance, happily
passes all fragments #2 and up through the firewall, both ways, unlogged.
Sure. Filtering is done on #0 (#1 is dropped), but statefullness should
enter into the equation somewhere). Many of them had trouble (or a complete
inability) to filter ICMP (ie. Guardian - allow ping = allow all ICMP).
Early versions of Firewall/Plus had a nasty statefulness bug (now fixed,
though not in the DOS version).

Those kinds of behaviors worry me. A nice, scripted testbench would be a
great start.

-kj

--
Kjell Wooding <kwooding@codetalker.com>
Codetalker Communications, Inc.

For the latest Infosec News, see http://www.codetalker.com/