Firewall Wizards mailing list archives
fail-open firewalls...
From: Anton Chuvakin <anton () chuvakin org>
Date: Wed, 5 Jun 2002 16:45:40 -0400 (EDT)
Hello, I have a tricky and a bit vague question [purposefully!]. It is understood, that a firewall should fail (if it were to fail, that is) in a "closed" state, meaning that all connections are blocked. For example, if one floods the firewall with packets and the machine does not have enough resources to filter and "move" packets from one interface to another, it is to stop doing it rather than to forward packets without checking the rule set. On the other hand, if firewall has to log every packet that traverses it, the resource starvation is more likely. I am curious, how one can _verify_ that the firewall is indeed made this way. Now, it is not as simple as it sounds, since simply flooding it with whatever packets *might* not result in fail-open, since different (or more intense) flood might be needed. Looking in the source code (in cases when it is available) suffers from the same difficulty. Overall, its kinda hard that something is impossible. In any case, I would be VERY happy to listen to all suggestions from the esteemed list members. Best, -- Anton A. Chuvakin, Ph.D. http://www.chuvakin.org http://www.info-secure.org _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- fail-open firewalls... Anton Chuvakin (Jun 07)
- Re: fail-open firewalls... Frederick M Avolio (Jun 08)
- Re: fail-open firewalls... Mikael Olsson (Jun 08)
- Re: fail-open firewalls... B. Scott Harroff (Jun 08)
- Re: fail-open firewalls... R. DuFresne (Jun 08)