The audit engine is remarkable, using mathematical algorithms that calculate every possible packet that could traverse the firewall. This technique covers all external IP addresses, internal IP addresses, ports and protocols. All possible combinations are tested in every direction and on any interface.
Audits produce reports that contain data such as how a given rule or set of rules creates a risk. These risks are then rated, and can be investigated by drilling down to gain an in-depth understanding and suggested remediation. In our testing, for example, AFA detected a combination of rules that allowed UDP port 137 (NetBIOS) between our DMZ and internal network, and a recent change in a TFTP rule that
| opened the DMZ to inbound and outbound connections.
The change history report simplifies change management, providing an ongoing view of all changes, mitigated risks and new risks. The compliance report gives a top-down view of firewalls analyzed as they apply to a given need.
Testing methodology: Our lab included a single OpenSUSE 10.1 server with the AFA software installed. A number of sample configurations were used from various sources such as Cisco and Check Point firewalls. Configurations were analyzed individually and in groups to determine aggregate accuracy.
This was first published in February 2008