Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Effect of full disk on logging under FW-1 v 2.1?

From: Manuel.Gil () gecits-eu com
Date: Tue, 10 Feb 1998 10:03:03 +0100




There is a test in DataCom WEB site, where you can find information about
the status of the Firewall-1 after you fill the disk with the log.

http://www.data.com/lab_tests/firewalls97.html

They say exactly:

                   The fourth attack involves filling the disk of the
firewall. If such an assault is mounted, a firewall should shut down. Only
those
                              products from Altavista, Cyberguard, Netguard
 (Migdal Ha-Emek, Israel), Sun, and Trusted Information Systems Inc. (TIS,
                              Rockville, Md.) did so (the last two because
they run on Solaris, which shuts down in response to a full disk; versions
of TIS for
                              other operating systems will continue to
operate). The next best thing would be to continue operating but deny all
external
                              access attempts--which is what firewalls from
 IBM and Milkyway did. All other products continued to operate normally,
which
                              raises a major security concern if logging
occurs on the firewall machine. Ideally, logs should be kept on an external
 machine or
                              moved frequently to read-only media.

Bye...




lists () bwa net on 09/02/98 13:04:44

Please respond to lists () bwa net

To:     firewall-wizards () nfr net
cc:      (bcc: Manuel Gil/Madrid/GECITS-EU)
Subject:  Effect of full disk on logging under FW-1 v 2.1?
                                                                           
                                                                           
 ------------------------------------------------------------------------- 





I'm doing an audit for an organisation, and I'm about to test the effect of
filling their disk so that the firewall can't log. However, their only
firewall person is away at the moment and I don't really want to leave them
with a headache - so can anyone tell me what happens if the disk fills? I'm
not an expert in FW-1...
Does it halt? (what I would expect) or does it overwrite the current log or
does it fail-open?
TIA,
Bret Watson
Technical Incursion Countermeasures
consulting () bwa net                      http://www.ticm.com/
ph: (+61)(08) 9454 2487(UTC+8 hrs)      fax: (+61)(08) 9429 8800
The Insider - a e'zine on Computer security
http://www.ticm.com/about/insider.html





        Best regards

        Manuel Gil
        GE Capital IT Solutions , S.L.
        System Engineering
        Edif. Torre Serrano
        C./ Serrano 47, Madrid 28001, Spain
        Phone: +34 1 4368839/00, Fax: +34 1 5769883, Mobile: 909 457616
        Internet: Manuel.Gil () GECITS-EU COM
Previous By Date Next
Previous By Thread Next

Current thread: