Re: fail-open firewalls...

["R. DuFresne" <dufresne () sysinfo com>]

One test might entail brining up the OS without the FW enabled.  The Os
should not forward packets without the FW.



Thanks,

Ron DuFresne

On Wed, 5 Jun 2002, Anton Chuvakin wrote:

> Hello,
>
> I have a tricky and a bit vague question [purposefully!]. It is
> understood, that a firewall should fail (if it were to fail, that is) in a
> "closed"  state, meaning that all connections are blocked. For example, if
> one floods the firewall with packets and the machine does not have enough
> resources to filter and "move" packets from one interface to another, it
> is to stop doing it rather than to forward packets without checking the
> rule set. On the other hand, if firewall has to log every packet that
> traverses it, the resource starvation is more likely.
>
> I am curious, how one can _verify_ that the firewall is indeed made this
> way.  Now, it is not as simple as it sounds, since simply flooding it with
> whatever packets *might* not result in fail-open, since different (or more
> intense) flood might be needed.  Looking in the source code (in cases when
> it is available) suffers from the same difficulty.  Overall, its kinda
> hard that something is impossible.
>
> In any case, I would be VERY happy to listen to all suggestions from the
> esteemed list members.
>
> Best,

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards