Testing your Firewall with fragrouter

Previous page
Table of content
Next page


As we mentioned earlier, fragmentation attacks are a great way to beat packet filtering firewalls. This isn't normally an issue at all with iptables/netfilter; however, it can happen in certain conditions. And if you ever needed to assess the firewall capabilities of a piece of network gear in conjunction with your Linux firewalls, this is a great method to do it.

To test your firewall(s) using fragrouter, you will need two systems in addition to your firewall/packet filter. This is because fragrouter cannot by design be run on the same system from which you're testing (according to the documentation, this is to prevent abuse). In this example, we have three systems. The firewall, our scanner box called Host-A, the iplog machine called Host-B, and the fragrouter system called Host-C.

Figure 10.3. Testing packet filters with fragrouter.


We'll assume you've already set up Host-A and Host-B as outlined here. Our Host-C system is an aged Redhat 7.2 system, and while this OS has been End-Of-Lifed (EOL) by Redhat, security updates are still available from the FedoraLegacy.org project for at least another year and a half after the EOL date (at least). So it's a safe, supported OS that should not expose you to any additional unreasonable risk from using it in a testing environment. That long-winded startup aside, you'll need to install fragrouter on the system (which incidentally, we have only gotten to run on older Redhat systems, which is why we brought all this up!).

On Host-A: Set the default route to Host-B using Host-C as the gateway:

 [root@Host-A root]# route add host Host-B gateway Host-B)

On Host-C: Install and start fragrouter:

 [root@Host-C root]# fragrouter -F1 fragrouter: frag-1 started

On Host-A, start your TCP connections, nmap attacks, and so on and watch the output on Host-B's iplog traffic. Additionally, return traffic from Host-B to Host-A will not pass through fragrouter, which is handy if you're also testing more advanced things such as combining your firewall with an IDS. In general, the output you're going to see on Host-B will be the same as the nonfragmentation tests. In fact, you can perform fragmentation tests using nmap with the -f flag. However, what's nice about fragrouter is that you're able to test any application you want in a fragmented state (web, NFS, mail, and so on). When it comes to demonstrating what the risk is from fragmentation attacks, this is a fantastic way to do it.

In closing, the scope of this test is specifically to verify that rules you know are in place and are not susceptible to fragmentation attacks. For example, you've already verified that outbound rules are working with your firewalls, and you're testing their ability to deal with complex packet fragmentation (or you just want to see if your packet filtering on the switch/router actually works!).


    Previous page
    Table of content
    Next page
    Troubleshooting Linux Firewalls
    Troubleshooting Linux Firewalls
    ISBN: 321227239
    EAN: N/A
    Year: 2004
    Pages: 169
    BUY ON AMAZON
    Inside Network Security Assessment: Guarding Your IT Infrastructure
    Introducing Microsoft Office InfoPath 2003 (Bpg-Other)
    Java How to Program (6th Edition) (How to Program (Deitel))
    Cisco CallManager Fundamentals (2nd Edition)
    Microsoft Office Visio 2007 Step by Step (Step By Step (Microsoft))
    Python Standard Library (Nutshell Handbooks) with
    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net
    Privacy policy