Firewalls: Remote Firewall Penetration Testing

Firewalls
(August 1997)

Indexed By Thread: [Previous] [Next]

Subject:	Remote Firewall Penetration Testing
From:	Frank Willoughby <frankw @ in . net>
Date:	Fri, 29 Aug 1997 10:10:30 -0500
To:	firewalls @ GreatCircle . com

I am constantly amazed at the number of companies (who are otherwise 
reputable) performing a Remote Security Testing of firewalls, or 
systems across the Internet.  

This is *very* dangerous.  IMHO, any who utilizes this service runs 
a *significantly* greater risk of having their firewalls (or systems) 
penetrated than if they didn't use this service.

Here's why.

The bad guys know who the good guys are & which ones are offering a 
Remote Firewall Security Testing Service.  Consequently, they already
know the vendor's IP address.  All the attackers need to do is to get
anywhere on the network (Internet) between the vendor and the customer 
(victim).  Frequently, they will take out a local ISP to accomplish this.  
(Truly devious attackers probably offer this as a "free" service which 
may be obtained via their web page.)

At this point, all the attacker needs to do is wait for the vendor 
to initiate the testing of the customer's firewall. Since the 
attackers already know the IP address of the vendor, they only 
need to look at the destination address in the packet headers to
find the IP address of the customer & their next victim.  

While the vendor is testing the firewall (probably a 15-30 minute 
test), the attackers will also be running their own tests.  If the 
firewall has any vulnerabilities, the vulnerabilities will (hopefully) 
be detected and fixed quickly.  


The problem is that there exists a window of vulnerability between
when the vulnerabilities are detected and the problems are fixed.  
Typically, this window of vulnerability is typically @ 1-2 weeks.
It may be longer, if the vendor needs to produce a patch.

An attacker will be able to take advantage of this window of 
vulnerability (or opportunity, as they would see it) to take 
out the firewall, wipe the logs of the successful breakin, 
upload their tools, create new accounts & backdoors, and start 
taking out the company.

In other words, when performing a Remote Firewall Testing Service, 
the vendor runs the risk of leading the attackers to their next victims.


Last, but not least.  It goes without saying, but I will anyway. 8^)


Best Regards,


Frank  
PS - We offer a vendor-neutral Firewall Evaluation/Penetration Test 
     Service in which subject the firewall to over 400 tough security 
     tests (manual & automated).  This helps to ensure that the firewall 
     is robust enough to meet the security challenges posed by connecting 
     a company to the Internet.  

     We never have tested firewalls remotely and we never will.  


The opinions of the author of this mail may not necessarily be 
representative of the opinions of Fortifed Networks, Inc.

Fortified Networks, Inc. - http://www.fortified.com/
Expert (vendor-neutral) Computer and Network Security Consulting
Phone: (317) 573-0800     Fax:   (317) 573-0817

Follow-Ups:

Re: Remote Firewall Penetration Testing
From: Arjan Vos <arjan @ pino . demon . nl>

Indexed By Date	Previous:	Re: Be careful about sending firewall log msgs via pagers - esp alpha msgs From: ArkanoiD <ark @ paranoid . convey . ru>
Indexed By Date	Next:	Re: "S. Korea develops world's first anti-hacking program" ! From: Frank Willoughby <frankw @ in . net>
Indexed By Thread	Previous:	definitions From: bob bryant <rbryant @ gte . com>
Indexed By Thread	Next:	Re: Remote Firewall Penetration Testing From: Arjan Vos <arjan @ pino . demon . nl>