Packet Crafting for Firewall & IDS Audits - Part One

With the current threat environment that home and corporate users face today, having a firewall and IDS is no longer a luxury, but rather a necessity. Yet many people do not really take the time to make sure though that these lines of defense are indeed working properly. After all, it is very easy to invalidate your router's entire ACL list by making a single misconfigured entry.

The same can be said for your firewall, whereby one poor entry into your iptables script, for example, could leave you vulnerable. Have you properly configured certain options which may be available with your firewall? All of these questions can be answered, and more importantly verified through the use of packet crafting. What this will allow you to do is manually verify that all is working well with your firewall and IDS, and that each is properly configured.

It is best to not blindly rely on the output of certain automated tools when auditing devices that safeguard your valuable computing assets. I would compare this to an analogy where one manually checks his door locks and the burners on the stove before going to bed, instead of waiting for a burglar or a fire alarm to be woken up. You know you've done everything required to safeguard your environment, but at the end of the day you still want to make sure. Packet crafting, when used to audit your network, cannot verify all conditions affecting your firewall and IDS, but the process can do so a fair number of them.

This article is the first of a two-part series that will discuss various methods to test the integrity of your firewall and IDS using low-level TCP/IP packet crafting tools and techniques. The focus is on a Linux environment but the process will work similarly well with other Unix-like environment too.