How to perform effective firewall testing

Computer Security Journal

Volumn 12, Issue 1, 1996, Pages 47-55

  Eugene Schultz, E ^a  

^a SRI INTERNATIONAL   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

COMPUTER ARCHITECTURE; GATEWAYS (COMPUTER NETWORKS); INDUSTRIAL MANAGEMENT; INFORMATION SERVICES; NETWORK PROTOCOLS; PUBLIC POLICY; STRATEGIC PLANNING; TELECOMMUNICATION SERVICES; WIDE AREA NETWORKS;

FIREWALL TESTING; INTERNET PROTOCOL (IP);

SECURITY OF DATA;

EID: 0030089329     PISSN: 02770865     EISSN: None     Source Type: Trade Journal    
DOI: None     Document Type: Article

References (15)

1. Cheswick, W.R. and Bellovin, S.M. (1994) Firewalls and Internet Security: Repelling the Wily Hacker. Reading, Mass.: Addison-Wesley.
2. Schultz, E.E. (1995) "A New Perspective on Firewalls," Proceedings of The Twelfth World Conference on Computer Security, Audit and Control, pp. 22-26.
3. Power, R. (1995) "CSI Special Report on Firewalls: How Not to Build a Firewall," Computer Security Journal, Vol. 9, Issue 1, pp. 1-10.
4. Oregon vs. Schwartz (1995) Criminal case tried in Washington County, Oregon.
5. The Computer Emergency Response Team at Carnegie-Mellon University.
6. Cheswick & Bellovin, 1994. Chapman, D. B., and Zwicky, E. (1995) Building Internet Firewalls, O'Reilly and Associates (Sebastopol, CA.).
7. Effective firewall penetration testing involves more than simply attacking the firewall and the systems it protects. It includes systematically determining how the firewall protects everything it is supposed to protect.
8. Obtaining written authorization to test every host included in the test plan is a good idea. Failure to obtain pre-approval can cause the same kinds of problems as failing to obtain management authorization to perform testing.
9. "War dialers" are programs that dial one telephone number after another to find numbers of modems.
10. Ensure that any attack scripts used are well-guarded, so that they do not fall into the wrong hands.
11. Remember, however, that some widely available scripts such as SATAN (Security Analysis Tool for Auditing Networks) can detect only a very limited set of vulnerabilities are thus not very suitable for most firewall tests.
12. In an IP spoofing attack an intruder establishes a connection to a server from a host that masquerades as a legitimate client.
13. Thomsen, D. (1995) "IP Spoofing and Session Hijacking." Network Security, March, 1995, pp. 6-11
14. Social engineering is using deception to obtain information to be used in attacking systems and networks.
15. Winkler, I.S. & Dealy, B. (1995) "Information Security Technology? ... Don't Rely on It: A Case Study in Social Engineering," Proceedings of USENIX Security Symposium.