2009-09-23 11:14 One Reason Why It Is Good To Audit Actual Traffic (Not Just Access Control Lists)
Once every year or so, big companies commission small companies like ours to do the “annual external pen-test”, in which testers try to break in through the perimeter firewall. Even though I don’t do a lot of network pen-testing, I’ve done a couple. And on all of them, some stale old Win2k host gets left exposed or some branch network has 445/tcp open, because there are 20,000+ lines of firewall rules and rules only get added, never removed.
Auditing 20 000 lines of firewall rules is unrealistic. Especially with modern features, which require digging deeper than just the actual firewall rule lines. In this kind of cases it is much more cost-effective to combine active scanning and passive traffic analysis to unravel critical errors and outdated rules.
-- jani 2009-09-23 08:17:09