I'm in the process of installing about 10 FWs (commercial on proprietary platform) and am wondering how to validate installation and rules possibly in a semi-automatic way. For the 2 installations I've used nmap in various modes while snooping packets to and from the FW. This approach to validations seems a bit time consuming and not some extensive, however I couldn' t come up with better ideas. A bit of Googling returned things like CIS Router Auditing Tool and
I have a similar, perhaps harder, problem - a couple dozen production commercial firewalls management says must be swapped out with another vendor's firewall product. Most of them have 5 or more interfaces, and complex configurations. Google came up short for me too - this would make a nice open source project!
I've been experimenting with a couple of multi-homed Solaris boxes configured to emulate the inside and outside hosts, running ipfilter for source routing.
Listeners are shell scripts controlled by inetd that simply determine the endpoints (using lsof), log the details, echo them to the client, and disconnect. Initiators are more shell scripts that use netcat to generate a sequence of connections as specified in configuration files, and log the results - including the endpoint details from the listener.
This approach works quite well for verifying permitted traffic and address/port translations, since the initiator should produce identical logs when run against legacy and strategic (management's terms) firewalls, but it's time consuming to configure and less useful for traffic which should be denied as it (currently) requires eyeballing the firewall logs to check that connections were denied as opposed to failing due to misconfiguration. It also works better for TCP than UDP - but once set up and debugged, the test runs are automated and repeatable.
My results to date suggest it's a viable framework, but the development effort required to make it truly useful is fairly daunting...
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.