![]() |
![]() |
#1 (permalink) |
Upright
|
Security Testing
Hey
Does anyone here have any advice on which firewall is the best. I'm using Tiny Personal now...and it seems pretty good. Also I'd like to recommend a site that let's you test your firewall: http://www.grc.com Try the shields up program. Should be a link somewhere on grc. Do any of you have any other links to sites that test your security ? |
![]() |
![]() |
#3 (permalink) |
Insane
Location: New Jersey, USA
|
I primarily use Broadband Reports security tools: http://www.broadbandreports.com/tools
I have used Security Space in the past, be they appear to have undergone some changes since I the last time I used them: http://www.securityspace.com/sspace/index.html |
![]() |
![]() |
#5 (permalink) |
I am Winter Born
Location: Alexandria, VA
|
If you want the best results and the most control, have a friend run nmap against your computer - so you get an "external" viewpoint. I've had some experienced with the GRC Shields Up scanner, and not to sound like a broken record (as I've said this on serveral other threads) their scan is very lacking in both comprehensiveness and accuracy. I've specifically opened ports on my firewall, had services listening on those ports, and received a clean bill of health from them.
Basically, nmap is your best bet.
__________________
Eat antimatter, Posleen-boy! |
![]() |
![]() |
#8 (permalink) |
Upright
|
Yep, I used to work for a company that do network security, when we'd g out to clients networks to run checks on their networks Retina would be my weapon of choice, a lot of the other guys use it to.
There is no single definate solution, you need to combine Retina with nmap, do some external scans, do scans from your machine. Have a gander at http://www.grc.com/default.htm for gibsons shields up, thats a good quick test, but as well as firewalling you need to make sure your machine is secure (software vurnaribility wise).
__________________
[ hk ] [ hk.hamlesh.com ] |
![]() |
![]() |
#11 (permalink) |
I am Winter Born
Location: Alexandria, VA
|
Agreed, hk-. Any firewall, hardware or software, is as strong or vulnerable as the ruleset it consists of. If they're both set with identical rules, there really isn't a major advantage of one versus the other. The only difference is that with "hardware firewalls" you can use that machine as a NAT box as well, and therefore protect a larger number of machines with a single ruleset, instead of having individually configured software packages on each machine.
The key is being thorough when establishing what you absolutely have to let through the firewall (inbound and outbound), not what type of firewall you have.
__________________
Eat antimatter, Posleen-boy! |
![]() |
![]() |
#12 (permalink) |
Upright
|
^^ Indeed, I just couldnt be arsed to go into all of that. Also with hardware firewalls you have their vurnability issues, if your running a n*x box as a firewall for example with ipchains/iptables/whatever as your firewall, you have to make sure that the box running the firewall is secure.
The number of times I have been pen testing for a company and they show me their firewall and the damn thing is running telnetd... well i've lost count. (Telnet can be made to fall over in the time it take to blink, thus giving access to the firewall box, thus an attacker can turn off the firewall, whats worse is they control a box on your network... fun!).
__________________
[ hk ] [ hk.hamlesh.com ] |
![]() |
![]() |
#13 (permalink) | |
Custom title.
Location: Denmark.
|
The fact that a software firewall can be disabled by e.g. a virus is enough to make me get an hardware firewall.
Quote:
When I'm refering to a hardware firewall, i mean a box from cisco or the likes.
__________________
Signature 101 |
|
![]() |
![]() |
#14 (permalink) |
I am Winter Born
Location: Alexandria, VA
|
Cisco PIX boxes still aren't the be all and end all of firewalls.
To repeat: Any firewall, unless you set it up properly, is insecure. This includes PIX firewalls. I've got an OpenBSD machine I use as my "firewall" - it's got very few open ports (less than the fingers on one hand), and OpenBSD is a very secure OS (Only one remote hole in the default install, in more than 7 years). I consider that to be "good enough" for my purposes. Given OpenBSD's security record, I feel that I can discount the "firewall getting hacked" possibility and concentrate on just the packet filtering job of the firewall. And, just for fun, I did a quick google search for you, -Anders: A year-ish old vulnerability report from Cisco on their PIX firewalls. Everything has holes. Everything. ![]()
__________________
Eat antimatter, Posleen-boy! |
![]() |
![]() |
#15 (permalink) |
Upright
|
Even the "hardware" firewalls run SOFTWARE... using CISCO as the example, their rapid blaze switches, thats hardware switching, but it still runs software, point proven by the fact that about 4 months ago we (the company I work for) found a hole in their management software which meant that we could make any CICSO switch of the same model start generating random malicious packet data.
Whats the relevance? Even if its a "hardware solution" its still running some form of software. There is no way other than physically unplugging a system, to make it "safe" or not vunrable to attacks. Trust me on this, I get paid mega bucks to do this kind of shite ![]()
__________________
[ hk ] [ hk.hamlesh.com ] |
![]() |
Tags |
security, testing |
|
|