Re: fail-open firewalls...

["B. Scott Harroff" <Scott.Harroff () att net>]

Firewalls will each "fail differently" due to their different programming
and error control routines.  I'm also assuming you have a "test" firewall
and will not be doing the below on a production system.

One "testing" idea that may shed some light on your particular system.

Ensure the firewall is logging "events" to the local drive (for non-solid
state systems).  Fill the drive/partition that the firewall is logging to
with files (copy/upload/whatever).  Send the firewall a large amount of
bogus traffic which it will try to log.  When it can't log due to the full
drive, it will be in a error state.   Evaluate its reaction.

For a more professional (higher budget) approach: Use a Smartbits (or
simular method) to flood the firewall with traffic. Observe the results on
latency, state table reaction, and packet passing.

----- Original Message -----
From: "Anton Chuvakin" <anton () chuvakin org>
To: <firewall-wizards () nfr com>
Sent: Wednesday, June 05, 2002 4:45 PM
Subject: [fw-wiz] fail-open firewalls...


> Hello,
>
> I have a tricky and a bit vague question [purposefully!]. It is
> understood, that a firewall should fail (if it were to fail, that is) in a
> "closed"  state, meaning that all connections are blocked. For example, if
> one floods the firewall with packets and the machine does not have enough
> resources to filter and "move" packets from one interface to another, it
> is to stop doing it rather than to forward packets without checking the
> rule set. On the other hand, if firewall has to log every packet that
> traverses it, the resource starvation is more likely.
>
> I am curious, how one can _verify_ that the firewall is indeed made this
> way.  Now, it is not as simple as it sounds, since simply flooding it with
> whatever packets *might* not result in fail-open, since different (or more
> intense) flood might be needed.  Looking in the source code (in cases when
> it is available) suffers from the same difficulty.  Overall, its kinda
> hard that something is impossible.
>
> In any case, I would be VERY happy to listen to all suggestions from the
> esteemed list members.
>
> Best,
> --
>      Anton A. Chuvakin, Ph.D.
>      http://www.chuvakin.org
>    http://www.info-secure.org
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://list.nfr.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards