Security Device Features

Security devices include firewalls, IPSec devices, proxies, and address translation devices. The trend in security devices is to include more and more functionality in a single box as witnessed by the expanding Unified Threat Management (UTM) space. Therefore, when reviewing the implementation of a security device either by manually reading the configurations, scanning, or using a tool like InfoSecter, it is not sufficient to merely determine whether the device will drop or pass a packet. The implementation review must also determine how the device will process packets that eventually pass through the device. If the policy indicates that traffic must be proxied in when passed through the security device, the implementation review must include this information.

InfoSecter tracks the application of the following security device features

• Packet filtering - Is the packet dropped or passed through the device?
• Address translation - The addresses or ports in the packet are changed as it passes through the device. In the current implementation InfoSecter tracks this information to correctly compute the Cross Interface option.
• IPSec tunneling - The packet is passed into an IPSec tunnel.
• Inspect - Stateful or deep packet inspection is turned on for the packet.
• URL filtering - The packet content is passed through a URL filter. This feature is tracked for PIX, ASA, and FWSM devices.
• AAA - Authentication, Authorization, or Auditing features are enabled for the specified packet. This feature is tracked for PIX, ASA, and FWSM devices.

Feature Alignment

On many security devices, different security features are specified in different ACLs or rule tables. This can result in shorter and simpler rule lists for some devices, but it makes it difficult for a human to look at the configuration and get a good understanding of how packets are processed end-to-end. For Dissection, Cross Conflict, and Policy Validation InfoSecter first aligns all features that apply to a packet traversing an interface (or a pair of interfaces in the Cross Interface case). This means that the resulting reports show everything that will happen to the packets enumerated in the report.