Security Testing - Tilted Forum Project Discussion Community

Kongen · 11-26-2003, 11:31 PM

Hey

Does anyone here have any advice on which firewall is the best. I'm using Tiny Personal now...and it seems pretty good.

Also I'd like to recommend a site that let's you test your firewall:
http://www.grc.com

Try the shields up program. Should be a link somewhere on grc.

Do any of you have any other links to sites that test your security ?

peacy · 11-27-2003, 04:28 AM

NMAP is a really good software to test your firewall... (it's free of course...)

Get it from here

cliv · 11-27-2003, 07:00 AM

I primarily use Broadband Reports security tools: http://www.broadbandreports.com/tools

I have used Security Space in the past, be they appear to have undergone some changes since I the last time I used them:
http://www.securityspace.com/sspace/index.html

sailor · 11-27-2003, 07:21 AM

I use Sygate. Its worked pretty well for me so far.

Pragma · 11-28-2003, 04:52 PM

If you want the best results and the most control, have a friend run nmap against your computer - so you get an "external" viewpoint. I've had some experienced with the GRC Shields Up scanner, and not to sound like a broken record (as I've said this on serveral other threads) their scan is very lacking in both comprehensiveness and accuracy. I've specifically opened ports on my firewall, had services listening on those ports, and received a clean bill of health from them.

Basically, nmap is your best bet.

Sunrise · 11-28-2003, 09:05 PM

Kerio Personal Firewall 2 (2.1.15 i think is the last version of it?) is the best.

TheShadow · 11-28-2003, 11:21 PM

An excellent program with a GUI would be Retina... Tells you what's exploitable, and how to fix it. It also updates itself, so you can always know if your system is secure.

hk- · 11-29-2003, 06:17 AM

Yep, I used to work for a company that do network security, when we'd g out to clients networks to run checks on their networks Retina would be my weapon of choice, a lot of the other guys use it to.

There is no single definate solution, you need to combine Retina with nmap, do some external scans, do scans from your machine.

Have a gander at http://www.grc.com/default.htm for gibsons shields up, thats a good quick test, but as well as firewalling you need to make sure your machine is secure (software vurnaribility wise).

-Anders · 11-29-2003, 03:14 PM

The best firewall is ofcouse an hardware firewall, but if you have to go with a software based one, go with kerio or that other one I used that I cant remember the name of

hk- · 11-30-2003, 01:04 AM

Quote:

Originally posted by -Anders
The best firewall is ofcouse an hardware firewall

Not true.

Pragma · 11-30-2003, 07:52 AM

Agreed, hk-. Any firewall, hardware or software, is as strong or vulnerable as the ruleset it consists of. If they're both set with identical rules, there really isn't a major advantage of one versus the other. The only difference is that with "hardware firewalls" you can use that machine as a NAT box as well, and therefore protect a larger number of machines with a single ruleset, instead of having individually configured software packages on each machine.

The key is being thorough when establishing what you absolutely have to let through the firewall (inbound and outbound), not what type of firewall you have.

hk- · 12-01-2003, 04:36 AM

^^ Indeed, I just couldnt be arsed to go into all of that. Also with hardware firewalls you have their vurnability issues, if your running a n*x box as a firewall for example with ipchains/iptables/whatever as your firewall, you have to make sure that the box running the firewall is secure.

The number of times I have been pen testing for a company and they show me their firewall and the damn thing is running telnetd... well i've lost count.

(Telnet can be made to fall over in the time it take to blink, thus giving access to the firewall box, thus an attacker can turn off the firewall, whats worse is they control a box on your network... fun!).

-Anders · 12-01-2003, 04:54 AM

The fact that a software firewall can be disabled by e.g. a virus is enough to make me get an hardware firewall.

Quote:

if your running a n*x box as a firewall for example with ipchains/iptables/whatever as your firewall, you have to make sure that the box running the firewall is secure.

^^ That's still a software firewall.
When I'm refering to a hardware firewall, i mean a box from cisco or the likes.

Pragma · 12-01-2003, 06:02 AM

Cisco PIX boxes still aren't the be all and end all of firewalls.

To repeat: Any firewall, unless you set it up properly, is insecure. This includes PIX firewalls.

I've got an OpenBSD machine I use as my "firewall" - it's got very few open ports (less than the fingers on one hand), and OpenBSD is a very secure OS (Only one remote hole in the default install, in more than 7 years). I consider that to be "good enough" for my purposes.

Given OpenBSD's security record, I feel that I can discount the "firewall getting hacked" possibility and concentrate on just the packet filtering job of the firewall.

And, just for fun, I did a quick google search for you, -Anders:
A year-ish old vulnerability report from Cisco on their PIX firewalls. Everything has holes. Everything.

hk- · 12-01-2003, 08:56 AM

Even the "hardware" firewalls run SOFTWARE... using CISCO as the example, their rapid blaze switches, thats hardware switching, but it still runs software, point proven by the fact that about 4 months ago we (the company I work for) found a hole in their management software which meant that we could make any CICSO switch of the same model start generating random malicious packet data.

Whats the relevance? Even if its a "hardware solution" its still running some form of software. There is no way other than physically unplugging a system, to make it "safe" or not vunrable to attacks. Trust me on this, I get paid mega bucks to do this kind of shite

11-26-2003, 11:31 PM	#1 (permalink)
Kongen Upright	Security Testing Hey Does anyone here have any advice on which firewall is the best. I'm using Tiny Personal now...and it seems pretty good. Also I'd like to recommend a site that let's you test your firewall: http://www.grc.com Try the shields up program. Should be a link somewhere on grc. Do any of you have any other links to sites that test your security ?

11-27-2003, 07:21 AM	#4 (permalink)
sailor beauty in the breakdown Location: Chapel Hill, NC	I use Sygate. Its worked pretty well for me so far. __________________ "Good people do not need laws to tell them to act responsibly, while bad people will find a way around the laws." --Plato

11-28-2003, 04:52 PM	#5 (permalink)
Pragma I am Winter Born Location: Alexandria, VA	If you want the best results and the most control, have a friend run nmap against your computer - so you get an "external" viewpoint. I've had some experienced with the GRC Shields Up scanner, and not to sound like a broken record (as I've said this on serveral other threads) their scan is very lacking in both comprehensiveness and accuracy. I've specifically opened ports on my firewall, had services listening on those ports, and received a clean bill of health from them. Basically, nmap is your best bet. __________________ Eat antimatter, Posleen-boy!

11-28-2003, 11:21 PM	#7 (permalink)
TheShadow Crazy Location: Vancouver, Canada	An excellent program with a GUI would be Retina... Tells you what's exploitable, and how to fix it. It also updates itself, so you can always know if your system is secure. __________________ You know that song that goes like...

11-29-2003, 06:17 AM	#8 (permalink)
hk- Upright	Yep, I used to work for a company that do network security, when we'd g out to clients networks to run checks on their networks Retina would be my weapon of choice, a lot of the other guys use it to. There is no single definate solution, you need to combine Retina with nmap, do some external scans, do scans from your machine. Have a gander at http://www.grc.com/default.htm for gibsons shields up, thats a good quick test, but as well as firewalling you need to make sure your machine is secure (software vurnaribility wise). __________________ [ hk ] [ hk.hamlesh.com ]

11-27-2003, 04:28 AM	#2 (permalink)
peacy Crazy Location: Reading, UK	NMAP is a really good software to test your firewall... (it's free of course...) Get it from here

11-27-2003, 07:00 AM	#3 (permalink)
cliv Insane Location: New Jersey, USA	I primarily use Broadband Reports security tools: http://www.broadbandreports.com/tools I have used Security Space in the past, be they appear to have undergone some changes since I the last time I used them: http://www.securityspace.com/sspace/index.html

11-28-2003, 09:05 PM	#6 (permalink)
Sunrise Crazy Location: Melbourne, Australia	Kerio Personal Firewall 2 (2.1.15 i think is the last version of it?) is the best.

11-29-2003, 03:14 PM	#9 (permalink)
-Anders Custom title. Location: Denmark.	The best firewall is ofcouse an hardware firewall, but if you have to go with a software based one, go with kerio or that other one I used that I cant remember the name of __________________ Signature 101

11-30-2003, 07:52 AM	#11 (permalink)
Pragma I am Winter Born Location: Alexandria, VA	Agreed, hk-. Any firewall, hardware or software, is as strong or vulnerable as the ruleset it consists of. If they're both set with identical rules, there really isn't a major advantage of one versus the other. The only difference is that with "hardware firewalls" you can use that machine as a NAT box as well, and therefore protect a larger number of machines with a single ruleset, instead of having individually configured software packages on each machine. The key is being thorough when establishing what you absolutely have to let through the firewall (inbound and outbound), not what type of firewall you have. __________________ Eat antimatter, Posleen-boy!

12-01-2003, 04:36 AM	#12 (permalink)
hk- Upright	^^ Indeed, I just couldnt be arsed to go into all of that. Also with hardware firewalls you have their vurnability issues, if your running a n*x box as a firewall for example with ipchains/iptables/whatever as your firewall, you have to make sure that the box running the firewall is secure. The number of times I have been pen testing for a company and they show me their firewall and the damn thing is running telnetd... well i've lost count. (Telnet can be made to fall over in the time it take to blink, thus giving access to the firewall box, thus an attacker can turn off the firewall, whats worse is they control a box on your network... fun!). __________________ [ hk ] [ hk.hamlesh.com ]

12-01-2003, 06:02 AM	#14 (permalink)
Pragma I am Winter Born Location: Alexandria, VA	Cisco PIX boxes still aren't the be all and end all of firewalls. To repeat: Any firewall, unless you set it up properly, is insecure. This includes PIX firewalls. I've got an OpenBSD machine I use as my "firewall" - it's got very few open ports (less than the fingers on one hand), and OpenBSD is a very secure OS (Only one remote hole in the default install, in more than 7 years). I consider that to be "good enough" for my purposes. Given OpenBSD's security record, I feel that I can discount the "firewall getting hacked" possibility and concentrate on just the packet filtering job of the firewall. And, just for fun, I did a quick google search for you, -Anders: A year-ish old vulnerability report from Cisco on their PIX firewalls. Everything has holes. Everything. __________________ Eat antimatter, Posleen-boy!

12-01-2003, 08:56 AM	#15 (permalink)
hk- Upright	Even the "hardware" firewalls run SOFTWARE... using CISCO as the example, their rapid blaze switches, thats hardware switching, but it still runs software, point proven by the fact that about 4 months ago we (the company I work for) found a hole in their management software which meant that we could make any CICSO switch of the same model start generating random malicious packet data. Whats the relevance? Even if its a "hardware solution" its still running some form of software. There is no way other than physically unplugging a system, to make it "safe" or not vunrable to attacks. Trust me on this, I get paid mega bucks to do this kind of shite __________________ [ hk ] [ hk.hamlesh.com ]