This is a great example of what it’s like to be a firewall admin. Ah, the memories. People seem to think that a firewall is smart. I mean, it’s a "security" device right? So, if it sees something "bad" it will just block it, right? No, firewalls are in fact stupid. They just do what you tell them to do, nothing more, and nothing less. If you tell them to allow everything, they will do just that and open the floodgates. It’s important that you, the human, put some context around each rule and be the intelligence. Firewalls are a tool, kind of like a hammer. Swing it at a window will break the window. Hit the nails the right way and you can build a house.
But still, at its core it is still a tool that is designed to allow traffic through. I was once talking with Marcus Ranum and he said the firewall was a beautiful thing before everyone shot a hole into it, right through port 80.
There are a few things that you want to consider when implementing and auditing a firewall. First, it is possible to have "rules" in it that are not displayed in the ruleset. For example, please check out ioscat and iosmap. Next, take a look at Implied Rulesets on Checkpoint firewalls.
The point is: yes, they are dumb, and yes, they do exactly what you tell them to.
Except when they don’t.
In God we trust… ‘til he builds a firewall, we'll audit all others.
Originally discussed during episode 233
John Strand will be teaching SANS 660 Advanced Network Penetration Testing and Metasploit for Penetration testers This April in Reston, VA April 15 - 23.