Solved

Firewall scanning with Nessus

Posted on 2009-03-31
3
1,449 Views
Last Modified: 2013-11-16
We have a Cisco ASA firewall that is configure to go. We want to do some scanning for possible vulnerability.

The firewall is currently set to allow TCP traffic to one specific port, say 1005, to one direction only (other way will be deny). All other traffics are deny using ACL.

What should I do to test for possible vulnerability? We have full version of Nessus and NMAP available.

A consultant suggested us to do both positive testing (making sure the firewall rule will allow the traffic you want) and negative testing (verifying that it will blocks traffic that is not defined).

He didn't mention the details....  Can someone help me out? thanks!
0
Comment
Question by:SPERTW
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 165 total points
ID: 24035059
ok, you have two factors there.

you have a rulebase that says "for the range of addresses x.x.x.x to y.y.y.y, allow access on port zzz"

you can test that with suitable port scanning software, but to be honest it isn't worthwhile - if the rulebase says that, then outside of someone exploiting a bug in the ASA software, that is what you are going to get. now, an active exploit of ASA would be worth testing for, but pentesters (and obviously, blackhats) keep those close to their chest.

second, you can assume that an attacker has access to the open port, and configure nessus to throw every attack it knows how to run against the application behind that port against the outside firewall - usually by placing the testing machine outside the asa, making sure its IP is in the permitted range, then running the test.

0
 
LVL 4

Assisted Solution

by:Multipath
Multipath earned 165 total points
ID: 24036179
In my experience scanning a firewall is never a good idea, the best thing to do is to track vulnerabilities to your version.  The reasons for this are simple, if someone outside scans the firewall they are going ot get locked out of traffic trough the content scanning engine.  What you can do to test if hte firewall is working is to test through know open ports to known applications behind the ports this will give you a good idea of you outside threat level.  I would however suggest that you give no special rules to the outside scanning engine as you want the firewall to do its job and stop the traffic if it sees it this will give you a win with your management because you can show the attacks against the services and the firewall stopping the attacks while still letting good traffic through.
0
 
LVL 20

Accepted Solution

by:
jdera earned 170 total points
ID: 24275798
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco ASA 5505's for VPN study 15 63
VPN tunnel between Watchguard and OpenVPN? 1 136
Setup another VLAN on Fortigate 3 39
Sonicwall guest user accounts 2 31
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question