Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

fail-open firewalls...

From: Anton Chuvakin <anton () chuvakin org>
Date: Wed, 5 Jun 2002 16:45:40 -0400 (EDT)
Hello,

I have a tricky and a bit vague question [purposefully!]. It is
understood, that a firewall should fail (if it were to fail, that is) in a
"closed"  state, meaning that all connections are blocked. For example, if
one floods the firewall with packets and the machine does not have enough
resources to filter and "move" packets from one interface to another, it
is to stop doing it rather than to forward packets without checking the
rule set. On the other hand, if firewall has to log every packet that
traverses it, the resource starvation is more likely.

I am curious, how one can _verify_ that the firewall is indeed made this
way.  Now, it is not as simple as it sounds, since simply flooding it with
whatever packets *might* not result in fail-open, since different (or more
intense) flood might be needed.  Looking in the source code (in cases when
it is available) suffers from the same difficulty.  Overall, its kinda
hard that something is impossible.

In any case, I would be VERY happy to listen to all suggestions from the
esteemed list members.

Best,
-- 
     Anton A. Chuvakin, Ph.D.
     http://www.chuvakin.org
   http://www.info-secure.org


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: